[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: regarding a fresh ftp install

To: "Misc @OpenBSD" <misc@openbsd.org>
Subject: Re: regarding a fresh ftp install
From: Nick Holland <nick@holland-consulting.net>
Date: Thu, 20 Feb 2003 22:08:07 -0500
References: <1045784852.3827.21.camel@angelfrog.cybercede.net>

Captain Weenie wrote:
> 
> Quick Question:
> 
> after installing via ftp do I have a fresh install of
> 
> Stable

No.

> or
> 
> Release?

Maybe.
You either have release or a snapshot.  Insufficient info.

The date on your dmesg tells all.

> If the answer is release - then - is there any way to do an install from
> scratch that will result in a 'Stable' build?

No. 

There is no official distribution of -stable.

If you wish to run -stable, you have to either build it yourself or
have someone you trust build it for you.  You can build it in place on
this machine, or you can build it elsewhere and transfer it.

> so I have replaced my exploited box - with a fresh ftp install of 3.2
> --- please advise my status - do I need to apply all of the erratta
> currently available for 3.2 - or is it already in my install.

It is not in the 3.2-release install.
There are no 3.2-stable binaries made available.
You could also run a -snapshot, which *would* have all the errata
applied (plus more, of course).

Are you...
...Running Keberos?
...Running sendmail with hostile users?
...Running BIND?
...Running CVS w/pserver?
...Running a system critical enough that the reliability fixes are
important?

If so, yes, you need to install the patches desired 

If not, you can run 3.2-release.

Keep in mind, the OpenBSD development goal is to have solid and secure
-releases.  And for the most part, they do quite well at this for MOST
users MOST of the time (and yes, the ssh hole was an exception).

Anyone who says "Everyone should be running -stable" doesn't get it. 
You want to know what -stable does?  It is right there on the errata
page -- there is no magic.  If you are NOT running Kerberos, having
patch 001 in place does NOTHING for you.  If you are not running a
bridge with pf and scrubbing, patch 002 does nothing for you...and so
on.  Considering the number of times people screw up builds...doing it
unnecessarily is questionable (I say, as I note one of my systems just
ran out of disk space during a build...)

That being said...it is not a bad idea to have a some way in place to
build -stable, should a relevant security issue arise, and in all
likelihood, one will some day.  Build the system, preload the source
code (as it takes time, whether you unpack from CD or fetch via
anoncvs).  While you are there, doing a test compile might not be a
bad idea...and then you end up with -stable. 8-)

FAR more important than running something that says "3.2-stable" is
keeping an eye on security issues on your machine -- OpenBSD and any
apps you are running.  It doesn't matter if the banner says
"3.2-stable" if the date predates a critical (for you) issue...

> ps
> a very special shout to the folks who were behind "server daily
> insecurity output" -- it proved to be timely news of ugly events.  AHO!

I rather like it, too.  It gives me an idea how my day will go.  Fetch
the logs mail, look at the number that come through.  Any missing?  I
know the phone will be ringing shortly with someone griping about
their DSL line being down. 8)

Nick.
-- 
http://www.holland-consulting.net

References:
- regarding a fresh ftp install
  - From: Captain Weenie <weenie@cybercede.net>

Prev by Date: Re: konqueror-embedded
Next by Date: Re: errata patches vs patch branch
Prev by thread: Re: regarding a fresh ftp install
Next by thread: Re: konqueror-embedded
Index(es):
- Date
- Thread