# How often do you update your FreeBSD machines?



## piggy (Jun 8, 2010)

I'm curious to know which machines update policy u guys apply on your Freebsd systems.

I like the ports system then I think it is a bit like a nightmare, considering every day there is something new to build and this need effort and CPU consuming task. Not only this: often u have to reboot your machines, or just reload apps in case of desktop systems and this really point me in the direction of a critical question: whats the point of having a very stable OS (like Freebsd is), if u have to reboot it like everyday or so becouse of some update u need to properly reload? And what about tons of megabytes download slowing down your productivity? And what update code compile burning and slowing down your machine most of the time? I'm lucky enough to be on a fiber optical Internet network, then I'm still tired about downloading and compiling stuff pretty much every day to update my Freebsd machines.

Also my new, minimal, Freebsd gateway box everyday offer me like some update and considering I like to maintain my machines always up to date I have to take care of install them and sometimes reboot the gateway and this generate some Internet downtime for my LAN. I remember when I had my Red Hat 7.1 based gateway I had months of uptime before the need to download and apply updates. And that was a matter of minutes,  becouse I alwats applied binary packages to it.

So what is your opinion guys? how often u do update your Freebsd machines? What is in your opinion related on this subject, the right policy to apply related with all this updates rolling down pretty much every day from Freebsd developers?

As a happy Windows user too, I will suggest Freebsd developers to apply a policy similar to the one Microsoft do apply to support Windws: rolling down updates just one a month or so.

And BTW another welcome option could be to have generic binary packages repository also for updates, so it will be a lot more easy and less time consuming to apply all the patches and install the new needed software.

Whats your opinion related with the subject?


----------



## SirDice (Jun 8, 2010)

One average about once a month. I also build all my packages in a jail so it won't interfere with my running systems. My 'downtime' is usually about 20-30 minutes.


----------



## piggy (Jun 8, 2010)

SirDice said:
			
		

> One average about once a month. I also build all my packages in a jail so it won't interfere with my running systems. My 'downtime' is usually about 20-30 minutes.


I can't see how jails can help compiling and updating packages considering if it is running on the same main system u need to update always consume resources and cpu time of the jail host machine. And how can u compile tons of stuff in 20-30 minutes? and 20-30 minutes every day is a very lot of time for a production machine to be down.


----------



## SirDice (Jun 8, 2010)

Who said compiling takes 20-30 minutes? Compiling all my packages takes about 2 days. 

It's the removal of the old packages and installing the new ones that takes me about 20-30 minutes. And I only do this on average about once a month. Unless there's a major security issue or some new thing I want to try.


----------



## sk8harddiefast (Jun 8, 2010)

daily!!!
And one time per month i am doing compilation of all packages on my system


----------



## piggy (Jun 8, 2010)

SirDice said:
			
		

> Who said compiling takes 20-30 minutes? Compiling all my packages takes about 2 days.
> It's the removal of the old packages and installing the new ones that takes me about 20-30 minutes. And I only do this on average about once a month. Unless there's a major security issue or some new thing I want to try.


I should do that too, make myself a once a month update time like Microsoft do. I was wondering to dedicate a jail or so to compile all the new stuff for all the machines. I wondering how to make them generic binaries I can do use on all my machines. Any idea?


----------



## dennylin93 (Jun 8, 2010)

I usually update ports as soon as an update comes out since I don't have many ports installed on my servers. Downtime is usually only a minute or two.

As for base, I only upgrade FreeBSD when a vulnerability affects me or when there is a new version (I use RELENG_X_X). The downtime is usually less than 10 minutes.

Check out ports-mgmt/tinderbox for building packages.


----------



## SirDice (Jun 8, 2010)

piggy said:
			
		

> I wondering how to make them generic binaries I can do use on all my machines. Any idea?


Use `# make package` or `# make package-recursive` to build packages from a port. Or use the -g option to ports-mgmt/portmaster.


----------



## vermaden (Jun 8, 2010)

piggy said:
			
		

> I'm curious to know which machines update policy u guys apply on your Freebsd systems.
> 
> I like the ports system then I think it is a bit like a nightmare, considering every day there is something new to build and this need effort and CPU consuming task.




```
# [color="Blue"][B]portaudit -Fa[/B][/color]
auditfile.tbz                                 100% of   61 kB   49 kBps
New database installed.
Affected package: curl-7.19.6_1
Type of problem: curl -- libcurl buffer overflow vulnerability.
Reference: <http://portaudit.FreeBSD.org/c8c31c41-49ed-11df-83fb-0015587e2cc1.html>

Affected package: opera-10.00.20090830
Type of problem: opera -- multiple vulnerabilities.
Reference: <http://portaudit.FreeBSD.org/6431c4db-deb4-11de-9078-0030843d3802.html>

Affected package: gd-2.0.35_1,1
Type of problem: gd -- '_gdGetColors' remote buffer overflow vulnerability.
Reference: <http://portaudit.FreeBSD.org/4e8344a3-ca52-11de-8ee8-00215c6a37bb.html>

Affected package: linux-f10-pango-1.22.3
Type of problem: pango -- integer overflow.
Reference: <http://portaudit.FreeBSD.org/4b172278-3f46-11de-becb-001cc0377035.html>

4 problem(s) in your installed packages found.

You are advised to update or deinstall the affected package(s) immediately.
```

I only have these vulnerabilities, since I use only packages and *-RELEASE branch, I used to use *-STABLE or even *-CURRENT in the past, but I do not want to mess with them any more (maybe I got too lazy ...).

I faced two bigger updates, that would require me to recomlie almost all ports that I have installed, graphics/png and graphics/jpeg, but I have found a method that would 'let me live' without all needed recompiling and with newest compiled multimedia/mplayer for example (m4v/mkv files were very buggy with *-RELEASE version build), install BOTH libraries.

1. Deinstall the older version
2. Create package for newer version (port will be added to your pacakges)
3. Remove that port that has just been added on creating package
4. Add *-RELEASE version with pkg_add
5. Add compiled version with -f flag by pkg_add

I now have both old and new installed, and if some port checks for its version, it has all needed versions available, and everything works without recompiling everything.


```
% ls -1 /var/db/pkg/png*
/var/db/pkg/png-1.2.40
/var/db/pkg/png-1.4.1_1
```


```
% ls -1d /var/db/pkg/jpeg*
/var/db/pkg/jpeg-7
/var/db/pkg/jpeg-8_2
```



> Not only this: often u have to reboot your machines, or just reload apps in case of desktop systems and this really point me in the direction of a critical question: whats the point of having a very stable OS (like Freebsd is), if u have to reboot it like everyday or so becouse of some update u need to properly reload?



I do not remember any DESKTOP application that would require a reboot, at MOST a drop to single user mode and back to default mode.



> So what is your opinion guys? how often u do update your Freebsd machines? What is in your opinion related on this subject, the right policy to apply related with all this updates rolling down pretty much every day from Freebsd developers?



Generally I tread these separately, updating the FreeBSD base system and updating the ports. For the FreeBSD base system, its VERY easily and fast with freebsd-update, as for ports, if there are vulnerabilities in ports that are crucial to the service that this box is serving, rebuild it, You do not have other choice.

If its desktop machine, and rebuilding does not take recompiling all other ports, rebuild it for the newer version, it if needs to rebuild almost everything, its propably not worth it for the desktop, at least You have time, or other spare box to build the needed packages.



> As a happy Windows user too, I will suggest Freebsd developers to apply a policy similar to the one Microsoft do apply to support Windws: rolling down updates just one a month or so.


MICROS~1 policy is plain fusking shit, holes are unpathed for months while FreeBSD developers are able to patch 0-day vulnerability in less then 24 hours. You are just messing PORTS (which are not dependent of FreeBSD team, but other developers of that software) with FreeBSD's BASE SYSTEM, which is VERY EASILY and FAST patched by freebsd-update.

Also, about reboot 'problem':


```
% uptime
12:49PM  up 22 days, 27 mins, 5 users, load averages: 0.00, 0.02, 0.00
```

If not the power failure (its not server room afterall), I would have about 70+ days of uptime on my workstation/desktop.


----------



## SirDice (Jun 8, 2010)

Uptimes are overrated. There's nothing wrong with the occasional reboot.


----------



## User23 (Jun 8, 2010)

SirDice said:
			
		

> Uptimes are overrated. There's nothing wrong with the occasional reboot.



NOOOO! 


```
4:35PM  up 698 days,  7:56, 1 user, load averages: 0.73, 0.73, 0.67
```


----------



## SirDice (Jun 8, 2010)

Which probably means you're missing one or more critical security updates. Not something I would brag about.

Again, uptimes are totally irrelevant. If you have some critical service use a hot-standby, load-balancing, cluster or any of the other HA techniques. Your server isn't important, your service is.


----------



## vermaden (Jun 8, 2010)

@SirDice

I wanted to mean, that if You do not need, You do not reboot, if You need, You do reboot, but not more often then You really need too (like after updated kernel).

I agree that uptime, itself means not very much, even Windows machines left themselves idle will last for years ...


----------



## jgh@ (Jun 8, 2010)

User23 said:
			
		

> NOOOO!
> 
> 
> ```
> ...



Congrats on your uptime. I'm sure your system has some security vulnerabilities that it is now prone too.


----------



## piggy (Jun 8, 2010)

User23 said:
			
		

> NOOOO!
> 
> 
> ```
> ...


To have such an uptime u do prolly have a outdated box full of vulnerabilities :-( How can u manage to have that and to have a modern, up to date, secure system?

For me, this days, a reasonable uptime should be like 95/100 days. Usually that was the uptime of my Red Hat 7.1 gateway machine. I'm far away (for now) to get the same from my new Freebsd 8 based gateway.

Believe it or not, I had such an uptime in the past, I think it was like 1996/1997 with a Windows NT 4 box. I remember when it was his second birthday party  I decided to update some hardware and installing like SP4 service pack as a birthday present for him! It was an overall server for my little ISP businness together with a Slackware 4 box used mainly for handling user accounts and mail/usenet server. Sweet old times 

PS: zero days exploits are fixed by Microsoft too right now. To be happy Freebsd users do not mean it is needed to deep shitting the Redmond company. Also becouse a lot of employes, especially developers in Redmond company do not deep shit Freebsd at all!


----------



## ckester (Jun 9, 2010)

piggy said:
			
		

> I'm curious to know which machines update policy u guys apply on your Freebsd systems.



My systems are for my personal use only, and I make frequent backups of my financial and other essential data, so I'm willing to take the chance that a botched upgrade will have the system down for an extended period -- or even possibly requiring a complete reinstall.  

I run 8.0-STABLE (now 8.1-PRERELEASE) and update it once a week.

I update the portstree and installed ports daily.   I use *portmaster --list-origins* to generate a list of all installed ports, and include a copy of it on my backup disks.  So if I do need to start over I can hand that list back to portmaster and get everything reinstalled.

I'd be much more cautious if I needed these systems for my livelihood, or if others were depending on them.  Whatever policy you follow, make sure it reflects an appropriate risk assessment.


----------



## jkusniar (Jun 9, 2010)

Another way how I do it for desktop:

freebsd-update run daily from cron, to be able to update base system if necessary,
portsnap run monthly from cron, because after such update it is required to rebuild a lot of ports (xorg, firefox....), daily run would be madness.
I run also portaudit daily from cron. It reports port vulnerabilities daily and then I can upgrade broken port manually anytime using portmaster.


----------



## anomie (Jun 9, 2010)

piggy said:
			
		

> I'm curious to know which machines update policy u guys apply on your Freebsd systems.



I update both my base system and third-party ports _as infrequently as possible_ (while weighing threat exposure against inconvenience, of course). 

If I receive a freebsd-security mail about an issue that legitimately applies to me, I plan for weekend downtime and update the base system. If ports-mgmt/portaudit tells me about a vulnerability that legitimately applies to me, I build a new package and plan a downtime to deploy it to the appropriate jail (all my services run in jails). 



			
				piggy said:
			
		

> I can't see how jails can help compiling and updating packages considering if it is running on the same main system u need to update always consume resources and cpu time of the jail host machine.



Think about it from another perspective: building and testing packages in a separate environment (whether that environment is another physical server or jail) helps minimize the risks of upgrading ports.


----------



## ckester (Jun 9, 2010)

piggy said:
			
		

> I like the ports system then I think it is a bit like a nightmare, considering every day there is something new to build and this need effort and CPU consuming task.



All the more reason not to put it off.  The longer you wait, the more you'll have to do.

The "effort" is minimal, thanks to portsnap and portmaster.



			
				piggy said:
			
		

> Not only this: often u have to reboot your machines, or just reload apps in case of desktop systems and this really point me in the direction of a critical question: whats the point of having a very stable OS (like Freebsd is), if u have to reboot it like everyday or so becouse of some update u need to properly reload?



The only time I've had to reboot my machine -- despite updating ports daily -- is when I'm updating the OS itself.  

What ports are you using that require a reboot?  



			
				piggy said:
			
		

> And what about tons of megabytes download slowing down your productivity?



I probably download far more tonnage every day as a result of web browsing, with far more impact on my productivity.  I'm probably not the only one for whom this is true.



			
				piggy said:
			
		

> And what update code compile burning and slowing down your machine most of the time?



I haven't noticed any slowdown while updating ports, even on my relatively-underpowered Intel Atom machines.  FreeBSD's scheduler does a great job.  While my ports are building, I can still play music, watch videos,browse the web, answer email, participate in a chat, etc., with no choppiness whatsoever.

But again, my machines are for my personal use only.  If I were sharing them with many many others, I would probably be more concerned about saving CPU cycles for them.   I'm not denying that system load is one of the factors that should be considered.   I just don't think it's as bad as you're making it sound.


----------



## jb_fvwm2 (Jun 9, 2010)

In another thread (within the past 7 days I think) I discovered that, say, if gettext (png, curl, jpeg, etc) bumps significantly, one can temporarily copythe older .so.(s) to /usr/local/lib/compat for even-more-minimal-downtime while rebuilding.  That has for the most part wholly changed the frequency and method with which I upgrade ports. (For instance I have the older gettext so's in that location so I only upgraded most ports, more will be done when I upgrade gtk20 and maybe not all will be updated until after the next buildworld cycle.  And it will be easier to upgrade all ports after the latter; my buildworld notes now include an rebuild of all gettext ports, not necessarily all ports) (Unless some unseen consequence arises in the interim. Working great so far.)


----------



## alvaro (Feb 1, 2011)

you dont need to compile everything, use the sysutils/bsdadminscripts port and install only binary packages.


----------



## Pushrod (Feb 1, 2011)

I update whenever I need to. I used to have "acute versionitis" and update frequently, just for the hell of it.

I even leave packages with security holes running, if I know that the security hole is not an issue for me.

The OP is correct however. Updating very often just wastes CPU time, bandwidth, and most importantly, human time. If there is functionality that you need which a newer version has, or if there is a security hole that could actually affect you in a way that matters, then I'd say those would be reasons to upgrade something. I am referring to the base OS or anything in ports for that matter.


----------



## wblock@ (Feb 1, 2011)

alvaro said:
			
		

> you dont need to compile everything, use the sysutils/bsdadminscripts port and install only binary packages.



You're replying to a thread that is two years old.

I like and recommend sysutils/bsdadminscripts, but a test of pkg_upgrade several weeks ago left a system with unusable ports.  Well, packages.  It doesn't matter, building the ports fixed it.


----------



## Martillo1 (Mar 8, 2011)

Coming from ArchLinux, which is a rolling release distro, it is no effort for me to upgrade ports on a daily basis. However, I do not run servers but my personal desktop machine, so my opinion in this matter is worthless :e


----------

