The way I handle software updates on FreeBSD starts when I install FreeBSD. Once the OS is installed, I also install the
/usr/ports/ports-mgmt/portupgrade
port. This is a set of scripts that automate and simplify the user
interface to the Ports system. You can read more about it and how to
get it set up in the FreeBSD Handbook. Next, I use the
portinstall
command provided with
portupgrade
to install the
portadudit
tool. You can find information about it, too, in the FreeBSD Handbook.
Then, every time I need to update software, I follow a procedure that looks something like this:
1. Enter
portsnap fetch update
to update the local Ports tree snapshot.
2.Enter
portaudit -Fa
The
-F
option fetches the current portaudit database. The
-a
option prints a vulnerability report for any software installed from ports that have known vulnerabilities.
- If the portaudit command indicates any vulnerabilities, open the
/usr/ports/UPDATEINGfile in a pager or text editor. I typically use
less
in a terminal emulator. Use the pager’s or editor’s text search
capabilities to search for any references to the vulnerable port in the
UPDATING file dated on or after the date of the last time you updated
your system’s software. - if any vulnerable software is found in the UPDATING file with
special updating instructions, follow those directions except in cases
where the instructions require me to recursively update other software.
In those cases, make a note of what needs to be done for later, and
hold off on following those directions for now. - If no vulnerable software is found in the UPDATING file, just use
portupgrade to update those specific vulnerable ports normally.
3. Enterportversion -vL=
. The portversion utility is used to compare installed versions of software with those in the current Ports tree. The
-v
turns on verbose output. The
-L
option, with
=
as an argument, excludes any installed software whose status flag is
=
, thus only showing software with newer versions in the current Ports
tree (or, conceivably, with older versions in case of a roll-back).
- Perform the same steps for any ports listed by
portversion -vL=as you did for portaudit’s output, checking them against the UPDATING
file, following directions, and making note of those whose directions
need to be followed separately later because they will recursively
update other ports.
4. Follow the directions for the ports that require recursive upgrades or
recompiling of additional ports at this point. The reason you would
want to hold off until this point is so that, when following those
directions, you will not inadvertently upgrade a port that requires
special handling as described in the UPDATING notes before you get the
chance to follow those directions.
5. Finally, if there are any ports left that need updating, you can upgrade them all with the portupgrade -a
command. The
-a
option tells portupgrade to operate on all installed packages that are not up to date.
Occasionally, you may find that a port does not want to upgrade because
of the existence of an earlier version. This should usually mean you
forgot to do something explained in /usr/ports/UPDATING
, but sometimes even after doing all the special software upgrade
handling indicated, this may occur with an error telling you that you
could try uninstalling and reinstalling the port in question. To do so
for the Firefox 3.5 port, for instance, you could do the following:
cd /usr/ports/www/firefox35
make deinstall
make reinstallJust to be perfectly safe, however, you should ensure that the files listed in /var/db/pkg/firefox-3.5.4,1/+CONTENTS
are backed up somewhere so you can restore them later. Thus if, for some reason, the make deinstall
works but the
make reinstall
does not, you have a way to get your previously working copy of Firefox 3.5 back.
An example of how this works in your favor is the update of the Perl
interpreter in September of this year. Because it is a programming
language interpreter, and many basic utilities on most Linux
distributions and BSD Unix systems are written in Perl, a change to the
Perl interpreter can lead to considerable grief later on. If some
utility depends on a particular assumption of how the Perl interpreter
works that has changed with the latest update to it, the utility may
stop working.
The
/usr/ports/UPDATING
file had this to say about updating Perl this September:
20090911:
AFFECTS: users of lang/perl5.10
AUTHOR: [email address removed]
lang/perl5.10 has been updated to 5.10.1. You should update everything
that depends on perl. The easiest way to do that is to use
"perl-after-upgrade" script supplied with lang/perl5.10. Please see its
manual page for details.
If you want switch to lang/perl5.10 from lang/perl5.8 please follow
instructions in the entry 20090328 in this file.Unfortunately, many OSes lack something like FreeBSD’s UPDATING notes,
or any software version upgrade notes are less oriented toward giving
the user helpful information for easing the pain of updating. In some
cases, such as that of MS Windows, the only software that is covered in
any software update notes is software produced by the vendor, and even
that may be obfuscated or left incomplete as in the case of the Firefox
vulnerability created by a software update from Microsoft this year.