z0mbix
August 16th, 2002, 08:24
Hi all,

This is going to sound really dumb, but I've been using Linux for about two years and a few days ago converted my webserver to OpenBSD. I bought the official 3.1 CD's and being keen to find out as much as I can about OpenBSD. I've been reading about OpenBSD for about 3 months now, but one thing that I find a little confusing is what I should be doing to stay up to date with security patches etc. I have a few questions:

1. Do I have to apply every patch since the 3.1 release.

2. Are these the correct patches to use:

http://www.uk.openbsd.org/security.html#31

I know this may seem simple, but I just don't want to get it wrong and want my box to be secure before it goes back online. Loving OpenBSD :)

Thanks in advance,

Zombie

bsdjunkie
August 16th, 2002, 12:01
Most security fixes can be found on the errata page.
http://www.openbsd.org/errata.html
you can download 1 at time or by cvs checkout of the patch branch.

I find the easiest way to keep my system updated in most cases is by anoncvs. But, my systems are not essential in a work environment and i can afford to let them compile all nite :P I also like to live on the bleeding edge of -current and in many cases things get broken. (a lot)

z0mbix
August 16th, 2002, 13:53
Most security fixes can be found on the errata page.
http://www.openbsd.org/errata.html
you can download 1 at time or by cvs checkout of the patch branch.

Thanks for the reply. I'm just running a production webserver so I'd like to stay with the stable release and just patch it when it needs to be done. Is the patch branch recommended for a stable production server? I notice a few of the patches on the errata page are from before 3.1 was released, do I still need to apply them?

frisco
August 16th, 2002, 14:11
Is the patch branch recommended for a stable production server? I notice a few of the patches on the errata page are from before 3.1 was released, do I still need to apply them?

Yes patch branch is recommended. Use -current if you really need to (hardware support, feature support) or if you like the experience.

You need to apply all patches if you are starting from a base src tree (like what is found on cd). The src tree on the cd is dated at April 18, 2002 - cd's take time to make, so despite the release date being end of July, the code on the cd's is from a couple months before that.

z0mbix
August 16th, 2002, 14:19
[quote:5d6f066fe4="cheeky_zombie"]Is the patch branch recommended for a stable production server? I notice a few of the patches on the errata page are from before 3.1 was released, do I still need to apply them?

Yes patch branch is recommended. Use -current if you really need to (hardware support, feature support) or if you like the experience.

You need to apply all patches if you are starting from a base src tree (like what is found on cd). The src tree on the cd is dated at April 18, 2002 - cd's take time to make, so despite the release date being end of July, the code on the cd's is from a couple months before that.[/quote:5d6f066fe4]


Thanks guys, appreciate the helpful info.

So, running the patch branch is not less stable that running the CD version with all the patches applied? Also, I've just been reading up on the patch branch again and notice that you have to rebuild yur kernel then rebuild the binaries. Approximately how often does this have to be done? Is it not adviseable for me just to apply the patches when they arise with my current CD installation?

elmore
August 16th, 2002, 15:56
It doesn;t happen all that often. Although, it does happen. 3.1 while being great has a lots of patches released. Two of those are kernel patches.