On Thu, November 9, 2017 4:54 pm, Jeff wrote: > On Thu, 9 Nov 2017 22:06:43 +0100 > "Christoph R. Murauer" <n...@nawi.is> wrote: > >> If I understood your question correct ... >> >> > Running: OpenBSD6.2-release >> > >> > Goal: To run a secure and functional web server. >> > (the server is currently up and running and used by >> > the public at large) >> >> If there are security related patches or things needed to be fixed, >> that the package works as it should, you can simple run pkg_add -iu > > Thanks for your replay Christoph. > > Please correct me if I'm wrong, but as I understand things, this only > works if one is following OpenBSD-current. I am running -release. > This is an in-use production server; I don't feel wise running -current. > >> You can add wxallowed to a already mounted filesystem using mount(8). > > In theory, I don't like this; I would rather keep preventing everything > not mapped from /use/local from being able to have both writable and > executeable pages, even if it's only temporary. > >> > Is it not worth it to update ports in this way; meaning, is it better >> > to simply wait for OpenBSD6.3 and stick with binary packages only >> > (as recommended on the openbsd.org site)? >> >> That depends on your requirements. See above. > > My answer also depends. Ideally, I'd want to jump on any update for > any software for which a security advisory has been issued. Also, > I do wish to track other non-critical updates to keep the server's > software relatively up-to-date as not to fall behind; picking up > performance and related enhancements in a bonus. In practice, > at least for myself and my available time, this isn't always feasible > (e.g. the ports tree doesn't have the latest software available as a port > and it would also be a significant time commitment to build and install > the software from the original source and successfully integrate it into > OpenBSD.) > > For example, moving to php v7.1.11 or 7.2 fall into this category > (see: http://www.securityfocus.com/bid/101745) > . > Looking at what the ports system has to do to make the php 7.0.23 > package, I'd be spending my life getting 7.2 to build and work properly > and I feel this is better left to those with more OpenBSD porting > experience. > > Some software builds and integrates from original sources more easilym > that is, the usual: > ./configure {reasonable options} -> make -> make install > procedure goes off withotu a hitch, or at least without too many edits. > >> > Also, is there an easy/sane way to remove packages that were only >> > required for building once the ports have been updated? >> >> A port is a package. See make clean and so on for builded ports and >> pkg_delete -a for packages. IMHO Who say, that something unneeded is >> installed ? It also has no effect to the system if build deps. are >> kept in the ports tree. > > I understand that the ports system first builds and packages a port, > and then installs it. > > I could be doing something wrong, but it seems that some ports install > dependencies to the system (pkg_add-style) that are required to *build* > the package from source, but that aren't required to *run* the package > (e.g. cmake). > > So, I definitely don't mind leaving the built packages in the ports > tree, but I *do* mind leaving them installed on the system. >
Use proot(1). It's amazing. You need space, though. I am using 2.5G to build my personal use ports. So, nothing huge. With dpb(1) it's a pretty automatic process to rebuild stuff. Tim.
