Re: a few pre-install feasability questions

To: netbsd-users%netbsd.org@localhost
Subject: Re: a few pre-install feasability questions
From: Dennis den Brok <d.den.brok%uni-bonn.de@localhost>
Date: Fri, 29 May 2009 15:11:32 +0000 (UTC)

Douglas A. Tutty <dtutty%vianet.ca@localhost> schrieb:
> Question 1:  On a dual P-II-450, will an hour be enough build time to
> keep the system up-to-date?  I'm assuming that the build process doesn't
> have any way of pause and resume.

Normally, yes; you would just have to do a 

make cleandir dependall
make install

in the affected part's source directory after applying the patch.
This is explicitely explained in each security advisory.
Sometimes, this may take longer, if, for instance, libc or the kernel
are affected, but in general, an hour should be more than comfortable.
Furthermore, for the kernel part, you could customize the kernel config-
uration such that build time reduces significantly, by throwing out
unneeded drivers. A kernel is, in general, built using

./build.sh kernel=configfile 

in the source tree's top directory. You could add "-u" (meaning "update")
here if you once built a kernel corresponding to a given configfile, so
the build system will only recompile files touched since the last compile.

Also, as you have two processors, you may want to try giving "-j n" to
both commands (make and build.sh) to make "make" use n jobs at once,
instead of a single one. Values n=3,...,5 might be sensible.

> I'm assuming that when a vulnerability is found in Firefox,
> audit-packages will alert me to the fact, then Mozilla will issue a new
> version of Firefox, then it will appear in pkg-src (current).  

In principal, yes. Particularly nice about this is that audit-packages
normally warns you about vulnerable packages even if there is not yet a
new version available. I don't think I've seen this anywhere else.
However, if you consider security absolutely critical, I would not count
too much on the underlying database being up to date, at least for the
more exotic packages.

As an example: Firefox 2.0.0.19 is still what you get when issueing
"pkg_add firefox" (with PKG_PATH pointing to a package repository;
Firefox 3 is firefox3 yet). This version is not supported by Mozilla any-
more and there have been found vulnerabilities therein which are not in
pkgsrc's vulnerability database (and I don't expect them to show up any-
more).

> Question 2:  To keep Firefox (and other third-party apps) up-to-date,
> will I be needing to recompile from source or just wait for a new binary
> version?  
> Question 2a: If I have to recompile Firefox, how long will it take?

In your case, at least for firefox, I would definitely go with the binary
packages approach. Sometimes it may take a while (perhaps a week or longer)
until new binaries show up, though. For checking for their availability,
you could use pkgtools/pkg_chk from pkgsrc.

PACKAGES=/pathorurl/to/binary/packages pkg_chk -qub

would tell you whether new versions of your installed packages are already
available.

> Question 3:  How often does a base security fix require rebuilding a
> large chunck of the system and how often does it require rebuilding the
> third-party apps as well.  How long does that take?
>

The base system rarely has security issues, cf. 

http://www.netbsd.org/support/security/

I don't remember any security patch that required also rebuilding binary 
packages. Even upgrading the kernel or the entire base system to a new
major version normally does not, at least for packages not too closely
tied to the system.

HTH,
Dennis

References:
- a few pre-install feasability questions
  - From: Douglas A. Tutty

Prev by Date: Re: a few pre-install feasability questions
Next by Date: Re: Dual cd drives
Previous by Thread: Re: a few pre-install feasability questions
Next by Thread: problems with compat_linux and skype
Indexes:

Home | Main Index | Thread Index | Old Index