Re: [tlug] BSD and Linux (was:Linux and Windows {2k|Xp|Vista} Comparison)

[Al Hoang <hoanga@example.com>]

On Sun, Oct 22, 2006 at 07:40:17AM +0900, Josh Glover wrote:
> On 22/10/06, Scott Robbins <scottro@example.com> wrote:
> 
> >Sigh, I really am not watching my words.  I just took a look at the last
> >several security updates.  A few involved patching the kernel, and that
> >might be what I was remembering, one of those where I had to rebuild
> >world because of my custom kernel.
> 
> On an intellectual level, just having a custom kernel should not
> require rebuilding world. But then again, I don't know FreeBSD well
> enough to know why it could.

	No, it doesn't.  And that is on a *practical* level.  I've had 
a custom kernel with some drivers statically compiled into the kernel
and some other drivers left out of the kernel from FreeBSD 3.x -> 5.x days.
I've never recompiled 'world' in these cases.  The situations where
I've recompiled world is when a new point release has come out (ex.
5.1 -> 5.2).   Point releases usually imply some set of APIs somewhere
changed enough that it's not a great idea to run something like a 5.2 kernel 
with a 5.1 userland (Been there done that, stayed up all night fixing it too)
	Since FreeBSD 5.x has come out, the need to compile a customized
kernel in my own case has really dropped.

	I've also noticed that FreeBSD offers some form of loadable kernel
modules which from a glance (that's all I've really done) seem like it's
possible to merely compile a module and have that added into the kernel
dynamically howevver I've not really touched this at all.

> 
> I suspect that Stephen is right: there are ways around rebuilding
> world, but that is the easiest and safest thing to do.

	Stephen is right, I believe.   However, it comes down to time...
usually the harried sys admin's.  If you are extremely religious about
following every stinking change that happens to a release branch and its
security fixes it is quite possible to only compile only one library or
application in the FreeBSD source tree and install that and be on
your merry way until some other enterprising hacker finds yet-another
security-hole in software X.
	However, in my experience I usually am ignoring a set of 
'security patches' since they have no relevance to my current deployment
then something nasty like a libssl bug gets found and then you can update
your checkout tree with the latest patches then:
1. Take the time to apply each security patch which means reading each
   vulnerability and procedure for how to fix it.  (This gets very old
   after try #1)
2. Recompile world and have everything updated in one shot

	With the speed of today's machines, I find option 2 always the easier
one to deal with.  Please note this is only in reference to what is in
the base distribution and I don't include anything installed from 'ports'
in this case.

Alain