FreeBSD Update build howtoOne of the questions I am asked most often about FreeBSD Update is "how can I build my own updates?". Usually I've pointed people at the FreeBSD Update server source code and wished them luck; in most cases I've heard back a while later that after spending a few days trying they gave up. I'm happy to say that thanks to Jason Helfman and Experts Exchange I can now point people at a far more useful resource.
Jason was one of the first people to ask me about using the FreeBSD Update build code, and by far the most tenacious; somewhere along the line I mentioned to him that I wished I could point people towards some better documentation, and he responsed by writing a step-by-step guide to setting up FreeBSD Update builds. This is exactly the sort of documentation I think most people need, and it's exactly the sort of documentation I would never be able to write — quite aside from the fact that I'm generally useless at writing documentation, I know the freebsd-update code far too well to see pitfalls which anyone else is likely to stumble into.
The above notwithstanding, I hope this isn't going to result in a flood of people setting up their own FreeBSD Update builds. If you can use the updates built by the FreeBSD security team and distributed by the FreeBSD project, you should: In almost every case, we have those updates built before we send out advisories, hours earlier than you could possibly finish doing your own builds. Furthermore, even with Jason's documentation, setting up FreeBSD Update builds is non-trivial; and it practically requires dedicated hardware — not just for the sake of security (although that alone is a very good reason to keep builds away from any security risks) but also because the FreeBSD Update build code plays games with the system clock in order to find places where timestamps are written into FreeBSD binaries (these timestamps must be ignored when building new updates).
But for those companies which run customized or locally-patched versions of FreeBSD and want to build binary updates: Go read Jason's instructions, and I don't need to wish you quite so much luck any more.
blog comments powered by Disqus