# Costly buildworlds versus using the ports versions



## getopt (Jul 16, 2014)

FreeBSD releases have included some third party software that is also available in the ports tree. Now those preferring to build the system (we do not talk about using freebsd-update here) and ports instead of fetching binaries have to rebuild world, if a security advisory has been issued. As building and installing world is much more costly than upgrading a port the general question is: what’s the benefit of those included packages?

Take a moment and have a look at the list https://www.freebsd.org/security/advisories.html

Now identify the ports that are also available in the ports tree. Now count how often you could have saved the work rebuilding the whole operating system. And note the frequency of such events and, if you need a grin, who leads the hit list.

Just installing the port version too will just not do the job. Why?  Installworld installs in different directories than installation of ports would do. A problem with the usage of the path is the result. If you installed the ports version, the „system-version“ still exists and can be used by exploits, if it is not updated too. 

If one would prefer using the ports version instead of the “world-version”, one should prevent building the software on `make buildworld`, by adding WITHOUT options in /etc/src.conf. Having done so, you only have to take care of the ports version.

What are your thoughts/practice on this?


----------



## Uniballer (Jul 16, 2014)

I rebuild world and the kernel because trying to half-ass security problems that have fixes available doesn't suit my mindset.  If I had the port installed I would rebuild that, too.


----------



## SirDice (Jul 16, 2014)

getopt said:
			
		

> Take a moment and have a look at the list https://www.freebsd.org/security/advisories.html
> 
> Now identify the ports that are also available in the ports tree.


That would be BIND and OpenSSL. Nothing else is in the ports. BIND has already been removed from the base on 10.0 and onwards. OpenSSL doesn't have that many security issues, it's only lately that OpenSSL had several issues in short succession. Just look at the advisories for the last few years. There's usually not many of them.



> Now count how often you could have saved the work rebuilding the whole operating system. And note the frequency of such events and, if you need a grin, who leads the hit list.


As I said, only lately have several issues surfaced. The past few years you had to rebuild maybe six or seven times per year. And even those could sometimes be mitigated through other means or involve something that's not used by many people.

But this is why you build from source, if you want something quick use a -RELEASE version and freebsd-update(8).


----------

