On Thu, 9 Nov 2017 22:06:43 +0100 "Christoph R. Murauer" <n...@nawi.is> wrote:
> If I understood your question correct ... > > > Running: OpenBSD6.2-release > > > > Goal: To run a secure and functional web server. > > (the server is currently up and running and used by > > the public at large) > > If there are security related patches or things needed to be fixed, > that the package works as it should, you can simple run pkg_add -iu Thanks for your replay Christoph. Please correct me if I'm wrong, but as I understand things, this only works if one is following OpenBSD-current. I am running -release. This is an in-use production server; I don't feel wise running -current. > You can add wxallowed to a already mounted filesystem using mount(8). In theory, I don't like this; I would rather keep preventing everything not mapped from /use/local from being able to have both writable and executeable pages, even if it's only temporary. > > Is it not worth it to update ports in this way; meaning, is it better > > to simply wait for OpenBSD6.3 and stick with binary packages only > > (as recommended on the openbsd.org site)? > > That depends on your requirements. See above. My answer also depends. Ideally, I'd want to jump on any update for any software for which a security advisory has been issued. Also, I do wish to track other non-critical updates to keep the server's software relatively up-to-date as not to fall behind; picking up performance and related enhancements in a bonus. In practice, at least for myself and my available time, this isn't always feasible (e.g. the ports tree doesn't have the latest software available as a port and it would also be a significant time commitment to build and install the software from the original source and successfully integrate it into OpenBSD.) For example, moving to php v7.1.11 or 7.2 fall into this category (see: http://www.securityfocus.com/bid/101745) . Looking at what the ports system has to do to make the php 7.0.23 package, I'd be spending my life getting 7.2 to build and work properly and I feel this is better left to those with more OpenBSD porting experience. Some software builds and integrates from original sources more easilym that is, the usual: ./configure {reasonable options} -> make -> make install procedure goes off withotu a hitch, or at least without too many edits. > > Also, is there an easy/sane way to remove packages that were only > > required for building once the ports have been updated? > > A port is a package. See make clean and so on for builded ports and > pkg_delete -a for packages. IMHO Who say, that something unneeded is > installed ? It also has no effect to the system if build deps. are > kept in the ports tree. I understand that the ports system first builds and packages a port, and then installs it. I could be doing something wrong, but it seems that some ports install dependencies to the system (pkg_add-style) that are required to *build* the package from source, but that aren't required to *run* the package (e.g. cmake). So, I definitely don't mind leaving the built packages in the ports tree, but I *do* mind leaving them installed on the system. -- Jeff <j...@grayspace.ca>
