a few pre-install feasability questions

["Douglas A. Tutty" <dtutty%vianet.ca@localhost>]

Hello all.

I'm fairly new to the BSD world.  I've installed NetBSD and OpenBSD on
some old boxes to toy with in the past, but since they weren't on the
'net I didn't bother with upgrades.  I've been using Debian GNU/Linux on
whatever hardware will run it.

The problem is that new hardware gives my wife a headache.  My newest
computer is an HP NetServer LPr, dual P-II-450, 1 GB ram, HP NetRaid
(LSI megaraid) 1si SCSI hardware raid, two 36 GB hot-swap SCSI drives,
floppy, CD drive.

Debian has now upgraded from Etch to Lenny and the new kernel causes a
segfault on whatever process tries to read any of the status info under
/proc.  So, for the first time, it looks like I'll be putting NetBSD
into production.  I have some pre-install questions to answer since I'll
be off-line until I get it installed and ppp/mail working again
(dialup).  I have an old 486 on which I'll do an install and get
ppp/mail working on it to minimize my down time.  

I've booted with the install floppies and the drives are recognized.
I'll find out after install if amrctl works with the raid card (going by
the man page for amr, it should).  

Given our current living arrangments, I can't leave the computer
running:  I get 2-3 sessions of about an hour each per day.  

My questions primarily revolve around keeping the system up-to-date.  I
understand that for the base system, I read the security patches and
follow the directions.  They generally involve patching source and
recompiling some of the system.

Question 1:  On a dual P-II-450, will an hour be enough build time to
keep the system up-to-date?  I'm assuming that the build process doesn't
have any way of pause and resume.

For third-party apps, I understand that I can either go with
pre-compiled packages or build from source with pkg-src.  Outside of the
base system, the third-party app I'm most concerned about keeping
up-to-date (both because of its potential vulnerability and the large
size of it) is Firefox; if I can keep Firefox up-to-date, I should be
able to keep everything else up-to-date.  

Debian did things in a unique way with Firefox.  Their policy is that
new versions of software aren't put into Stable.  Firefox's security
policy is that security fixes go into new versions. Therefore, Debian
back-ported the security fixes in to the old version and distributed a
fresh binary as a security update.  (Mozilla required that Debian then
not call it Firefox, so Debian calls it Iceweasel).  

I'm assuming that when a vulnerability is found in Firefox,
audit-packages will alert me to the fact, then Mozilla will issue a new
version of Firefox, then it will appear in pkg-src (current).  

Question 2:  To keep Firefox (and other third-party apps) up-to-date,
will I be needing to recompile from source or just wait for a new binary
version?  

Question 2a: If I have to recompile Firefox, how long will it take?

Question 3:  How often does a base security fix require rebuilding a
large chunck of the system and how often does it require rebuilding the
third-party apps as well.  How long does that take?

Sorry for the newbieish questions.  

Thanks for your guidance.

Doug.