Derek (freebsd lists)
2018-03-21 21:12:45 UTC
Hi!
I was surprised when using freebsd-update, that there was no way
to specify a patch level.
In my day to day, I need to ensure security patches are applied.
I also need to assess the impact of patches, and ensure
consistency (ie. versions) in my environments. This can take time.
Here's a story for context, please feel free to skip:
We are planning to cut our 10.3-RELEASE infrastructure over to
11.1-RELEASE before the end of the month, because it's EoL in
April. We updated and cut over our production load balancer
March 6th (and patted ourselves on the back for being ahead of
schedule), and within less than 12 hours, updated our backup load
balancers. Unfortunately, we're now on ever so slightly
different versions (-p6/-p7), and we're not affected by the -p7
problems. This makes my eye twitch slightly, especially when -p7
was the first patch of 2018.
Now we need to upgrade our application servers, that are
running our trusted code, and -p8 comes out.
I'm nervous about just applying -p8, but I definitely want to
upgrade to 11.1-RELEASE asap.
After assessing the impact of -p8 on our infrastructure, I
feel the security risk is relatively low in the short term (and
we've waited this long anyway), but I feel the probability of
introducing unintended side-effects is high, and want some time
to test and asses.
/story
It would seem to me, for repeatable environments, that binary
updates from FreeBSD that can be pinned to specific version are
highly desireable.
I've gone ahead and created a patch for my use here:
https://github.com/derekmarcotte/freebsd/commit/009015a7dda5d1f1c46f4706c222614f17fb535c
(there's a 10.3-specific one here:
https://github.com/derekmarcotte/freebsd/commit/458879f36ae984add0ff525fb6c2765fcf1fba67
)
I'd be happy to open a PR, and to iterate and improve on this
PoC, but if there's no support from the project, I'll keep it to
myself.
I guess what I'm asking is, for these reasons, is anyone willing
to work with me (in mentorship+commit bits) to add this feature
(maybe not this particular implementation) to freebsd-update?
Thanks!
Derek
I was surprised when using freebsd-update, that there was no way
to specify a patch level.
In my day to day, I need to ensure security patches are applied.
I also need to assess the impact of patches, and ensure
consistency (ie. versions) in my environments. This can take time.
Here's a story for context, please feel free to skip:
We are planning to cut our 10.3-RELEASE infrastructure over to
11.1-RELEASE before the end of the month, because it's EoL in
April. We updated and cut over our production load balancer
March 6th (and patted ourselves on the back for being ahead of
schedule), and within less than 12 hours, updated our backup load
balancers. Unfortunately, we're now on ever so slightly
different versions (-p6/-p7), and we're not affected by the -p7
problems. This makes my eye twitch slightly, especially when -p7
was the first patch of 2018.
Now we need to upgrade our application servers, that are
running our trusted code, and -p8 comes out.
I'm nervous about just applying -p8, but I definitely want to
upgrade to 11.1-RELEASE asap.
After assessing the impact of -p8 on our infrastructure, I
feel the security risk is relatively low in the short term (and
we've waited this long anyway), but I feel the probability of
introducing unintended side-effects is high, and want some time
to test and asses.
/story
It would seem to me, for repeatable environments, that binary
updates from FreeBSD that can be pinned to specific version are
highly desireable.
I've gone ahead and created a patch for my use here:
https://github.com/derekmarcotte/freebsd/commit/009015a7dda5d1f1c46f4706c222614f17fb535c
(there's a 10.3-specific one here:
https://github.com/derekmarcotte/freebsd/commit/458879f36ae984add0ff525fb6c2765fcf1fba67
)
I'd be happy to open a PR, and to iterate and improve on this
PoC, but if there's no support from the project, I'll keep it to
myself.
I guess what I'm asking is, for these reasons, is anyone willing
to work with me (in mentorship+commit bits) to add this feature
(maybe not this particular implementation) to freebsd-update?
Thanks!
Derek