I've used FreeBSD for about 5 years – server/Desktop – and I've tended to take my apt-get/yum upgrade everything habits along with me ( I admin Debian/RHEL/Cent boxes as well — I know, I know …should be more discerning regardless of platform ). So it's usually a:
portsnap fetch
portsnap update
portmanager -u
For the ports
Sometimes followed by a:
freebsd-update fetch
freebsd-update install
For the system …etc. Then just clean up any messes afterwards …if they occur.
This, I realize, is a fairly excessive un-BSD way to do things. What is your philosophy for your BSD boxes? Do you run a portaudit/portversion — check output then update (make deinstall …etc) after careful consideration?
I'm fairly new to OpenBSD, I confess. I see myself cvsupping the ports tree, running the "out of date" script, then just upgrading critical ports — but leaving the kernel/binaries alone and just upgrading every six months. Do you patch/recompile/rebuild kernel, binaries — why?
What's a conservative approach for critical services ( reasonably critical — this ain't no bank or hospital ) on BSD boxes? Are you using a similar approach on your Linux boxes? I generally don't touch the kernel on any servers unless a security alert has stricken terror into my soul.
Yeah, there's docs and books galore — what do you people actually do? Assuming we know the basics — what's the wisdom? Use cases/environments and scenarios vary, as do the stakes/stakeholders/users. Books and man pages cover tools and uses, but lack practical application. Recommend a book if you know of one that covers it!
Thanks for reading!
Bubnoff
Conclusions ~
Thanks to everyone who took the time to answer this post. My strategy overall is now to follow the mailing lists for both BSDs and be more selective/discerning with updating than I have been in the past.
FreeBSD ~
Portaudit is a good answer. With the mailing lists and diligent audits, I think this will serve well here. It's interesting the different emphasis on ports between OpenBSD verses FreeBSD.
OpenBSD ~
Will follow the mailing list and use the package tools ( pkg_info and pkg_add -u ) where deemed critical. Upgrades: Looks like you need to upgrade at least once a year. They support the newest release plus one back – so right now it's 4.8 and 4.7.
Thanks again.
Best Answer
Make sure you check your installed ports for vulnerable packages every so often : portaudit -Fda