OpenBSD Journal

How do you keep your systems patched up?

Contributed by mk/reverse on from the dept.

By hand 82.2% (162 votes)

Tepatche 0.5% (1 votes)

Binary Update Project 4.6% (9 votes)

Custom Scripts 9.1% (18 votes)

Other (please comment) 3.6% (7 votes)

Total votes: 197

(Comments are closed)

  1. By Ray ( on

    I always use -current. Whenever anything new comes up I just update to the next snapshot, or make a new build.

    1. By sean ( on

      That's great for home systems but for production machines tracking current may not be ideal. Take for instance the a.out to elf change over, that wasn't a pretty upgrade. Though if you had a spare drive in the machine you could mirror the current state update with new snapshot and till have a way to fall back on what 'already works.'

      1. By Ray ( on

        Upgrading using snapshots, everything was transparent to me, including the infamous a.out->elf change. Snapshots are great—they’re like binary patches, but from the OpenBSD team.

        I don’t see what’s so difficult. I just have a -current source somewhere, NFS mount it, mergemaster to update /etc, and boot from either a floppy or bsd.rd. Done.

        1. By sean ( on

          I didn't say it was difficult. I implied it wasn't wise.

  2. By sean ( on

    AFAIK there is no clean way to back out of a binary 'patch'.

    At least with diffs it is trivial to reverse the patch and rebuild albiet longer and 'more complicated.' Feel free to enlighten me on this topic but until there is a source of binary 'patches' I can trust and a way to back out of the patch if need be I'm sticking with the 'by hand' method.

  3. By chort ( on

    By hand, which is really the only aspect of OpenBSD that I don't like. When running some slow-ass low-end hardware, it can take a significant amount of time. Worse, having to check out the source on a machine with limited disk space is annoying. Sure I could build on another system and just do an (u)date with the sets, but that's also a pain since that touches the entire system.

    I really, really wish they would integrate some option for building your own binary patches (and maybe distribute them on the FTP sites, too).

    1. By Anonymous Coward ( on

      I really enjoy compiling XF4 on a pentium 200 only to have it fail at some point .. and then starting all over again only to have it fail at another point.

  4. By gabriel ( on

    set up a tight firewall, and only care about updates when you see something about tcp stack or pf in the patch list.

  5. By almeida ( on

    I find that I only keep up with the patches for the first few months. After that, I get lazy. Maybe I'll start tracking stable for 3.6.

    1. By sean ( on

      There is this idea you have to patch everything blindly which is totally not the case. It is about mitigating risk after all. If a patch is released for a system you don't use (say Kerberos or NIS) it may just be simpler to 'chmod 0' the related binaries than incur the failure possibility.

      It takes a lot of effort to evaulate a patch. If there is any doubt it affects me I roll it out. If it's a real pain there are other methods dealing with the problems. You don't need to worry about a reliability fix for some hardware you don't own.

      Now that was a tangental post. :L

  6. By Pascal Lalonde ( on

    I use Binpatch.

    You can either download binary patches, or build them yourself by using the framework provided on the website. The amount of work required to generate a binary patch is comparable to patching by hand, except that you only need to do it once. You can then untar the binary patch everywhere else (as long as it is the same arch, of course). I've been using it since 3.1. It works great, and it doesn't try to be a wizard that does everything for you, which is something I like about it. You're still the one in control.

  7. By I.S. ( on

    more important question is ... "how can i upgrade the system from release to release?" - there is no clean way!!!


    1. By Kevin R ( on

      Um... the update script in the install disk/cd. Or do you mean by source? Because (I think) OpenBSD makes it pretty easy once you understand what's going on behind the scenes. Kevin

    2. By Paladdin ( on

      Sure there is:

      On the other hand, OpenBSD default installation policy should make really easy to full-install a new release with no pain because it stores /var and /home in their own disklabels. Just keep an eye on /etc... :-)


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]