No, I'm very familiar with BSDs and make some more other things... I was just looking for someone to share his/hers experience about binpatch with me. I was just afraid not to do some harm to my system (which at this time has almost 90GB of stuff - ports, settings, packages, sources, backups etc.) in fact to my setting files (I don't currently have a backup server - I'm working on one right now, tested NIS with it and planning to test also Kerberos and BIND).
Ingo Schwarze wrote: >Hi, > >Gabriel George POPA wrote on Thu, Mar 16, 2006 at 05:26:01PM +0200: > > > >>4) I've heard about binpatch and I've tried to use it once >>(I must apply some security/reliability patches here). >>For me it's impractical to recompile the entire system >> >> > >You need not recompile the entire system in order to apply patches >to a -release system. You only need to recompile those parts of >the system actually affected by the respective patches. >Each patch contains instructions which parts of the system >you need to recompile in order to apply it properly. >These instructions cite the "cd", "patch" and "make" commands >you need to type. > > > >>(I have the power to do that, I did it a million times on FreeBSD, >>but now I'm running a production system and I'm afraid that I should >>spoil some settings). >> >> > >You need not be afraid. Compiling (official) patches on a production >system will not spoil settings. Of course, if you would edit random >files in /usr/src before applying the patches, you might well spoil >things. So just refrain from doing that... > >[ concerning binpatch ] > > >>I saw that you must edit a Makefile (it seems rather complicated). >>I don't know how to edit this >> >> > >Usually, you need not edit the whole Makefile, but just the patch >targets at the bottom. If translating the instructions in the >patches into targets in the Makefile looks complicated to you, >you should probably not be using binpatch. > >By the way, as far as i see, > http://openbsdbinpatch.sourceforge.net/Makefile.sample >appears to be currently up-to-date. But don't rely on that. >In any case, you ought to be able to verify the correctness of the >Makefile before using binpatch. > > > >>(how can I learn to modify it >> >> > >Er, well, the Makefile is supposed to be self-documented. >For details about the implementation of the shortcuts, >e.g. ${_build}, read the file bsd.binpatch.mk. > >Note that usually, you are *much* safer applying patches >on each individual machine using the official procedure >supported by the OpenBSD project - in particular in case >you don't feel at ease with make(1). > >I know only two good reasons why you might want to use binpatch: > - You have a server where you cannot compile patches due to > lack of resources. If that is the cause for you, migrating > to more powerful hardware might be a safer option - note > that even an old PI or PII box is usually sufficient for > compiling patches. > - You have so many servers that compiling on all of them > will take too much of your time. Clearly, anybody running > a large number of servers should not feel scared by using > basic tools like make(1) - or will be in for trouble sooner > or later, anyway. > >Yours, > Ingo
