BSDCan2019 - 1.8
BSDCan 2019
The Technical BSD Conference
| Speakers | |
|---|---|
|
Antoine Jacoutot |
| Schedule | |
|---|---|
| Day | Talks #2 - 18 May - 2019-05-18 |
| Room | DMS 1120 |
| Start time | 13:30 |
| Duration | 01:00 |
| Info | |
| ID | 1038 |
| Event type | Lecture |
| Track | Hacking |
| Language used for presentation | English |
| Feedback | |
|---|---|
|
Did you attend this event? Give Feedback |
syspatch(8)
The Boring Healing Potion
While installing and upgrading OpenBSD releases has always been a breeze, keeping a stable installation up-to-date with security and reliability patches required fetching and applying cvs(1) diffs then build a new release which had to be deployed on every maintained systems.
In this talk I will introduce a somewhat recent system utility: syspatch(8). It is used to fetch, verify, install and revert OpenBSD "binary" patches.
I will also describe the patch building process which is completely privileged separated and explain how and why several parts of the build system had to be changed.
At OpenBSD we believe that doing full builds for each patch if the proper way to go, even though it takes more time and effort. Indeed, an important thing for building patches are deterministic builds. That is especially true if the patch tarballs aren't built on the system the original release was created.
Another challenge is static binaries. These need to be re-linked every time we patch a library that's a dependency, so if you don't do a full build all the time, you have to keep a list of these binaries and manually force re-build them which is error prone.