HardenedBSD/UPDATING
2000-08-13 02:19:13 +00:00

319 lines
12 KiB
Plaintext

Updating Information for FreeBSD current users
This file is maintained by imp@village.org. Please send new entries
directly to him. See end of file for further details. For commonly
done items, please see the end of the file. Search for 'COMMON
ITEMS:'
20000812:
suidperl is now always built and installed on the system, but
with permissions of 511. If you have applications that use
this program, you are now required to add ENABLE_SUIDPERL=true
to /etc/make.conf. If you forget to do this,
chmod 4511 /usr/bin/suidperl
will fix this until the next build.
20000812:
sendmail has been updated from 8.9.3 to 8.11.0. Some of the more
visible changes that may immediately affect your configuration
include:
- New default file locations from src/contrib/sendmail/cf/README
- newaliases limited to root and trusted users
- MSA port (587) turned on by default
- New queue file naming system so can't go from 8.11 -> 8.9
- FEATURE(`rbl') renamed to FEATURE(`dnsbl')
- FEATURE(`nullclient') is more full featured
- FEATURE(`nouucp') requires an argument: `reject' or `nospecial'
- mail.local FreeBSD-only -b option changed to -B
- See src/contrib/sendmail/RELEASE_NOTES for more info
20000810:
suidperl (aka sperl) is no longer build by default. You must
specifically define BUILD_SUIDPERL to "true" for it to be build.
Furthermore, we recommend that you remove /usr/bin/sperl* and
/usr/bin/suidperl files from your system unless you have a
specific use for it.
20000729:
Networking defaults have been tightened. Anybody upgrading
/etc/defaults/rc.conf needs to add the following lines to
/etc/rc.conf if they want to have the same setup
afterwards (unless the variables already are set, of course):
# Enable network daemons for user convenience.
inetd_enable="YES"
portmap_enable="YES"
sendmail_enable="YES"
20000728:
If you have null_load="YES" in your /boot/loader.conf, you
will need to change that to nullfs_load="YES".
20000728:
The "installkernel" target has changed slightly. Now even if
you override KERNEL e.g. 'make installkernel KERNEL=MYKERNEL'
it will install the MYKERNEL file (built with the buildkernel
target) as /kernel rather than /MYKERNEL. Those who have
updated their /boot/loader.conf files to point to /MYKERNEL
should remove that entry or perform manual rename of /kernel
to /MYKERNEL.
20000711:
If you use CVSUP or CTM to get CVS trees, AND you used to get
the old crypto files from internat.freebsd.org AND you check
out files from the CVS tree with the cvs command, please read
http://people.freebsd.org/~imp/internat.txt
for details on potential problems that you might have and how
to get around them.
If you are merely a mirror, or don't answer yes to each of the
clauses above, you needn't worry.
20000711:
/etc/security has been updated to print the inode number of
setuid programs that have changed. You will see a large spike
in the number of changed programs the first time when you run
mergemaster to get a new /etc/security.
20000710:
/dev/random now has good entropy collection (from the keyboard
and sysmouse drivers). Please ensure that either `options
RANDOMDEV' is present in your kernel config file or that
`randomdev_load="YES"' is in your /boot/loader.conf. If you do
not have the /dev/random driver, OpenSSL (and consequently
lots of crypto tools (like SSH)) will fail with strange
errors. (see below, 20000624).
FreeBSD-current is safe again to run Crypto.
20000709:
phk made the malloc default options AJ. This may slow things
down and uncover other latent bugs in the code. If you need to
run at full speed, you can disable this by doing the following:
ln -s aj /etc/malloc.conf
20000706:
libftpio's version was accidentally bumped a few days ago. This
has been corrected. You may need to remove /usr/lib/libftpio.so.6
before doing your next buildworld/installworld pair. It certainly
won't hurt to remove it before the update proceedure. It will
break fetch until a new one is built, but ftp can be used in the
interrum if needed.
20000705:
The crypto packages have changed for the cvsup. This has been done
in a backward compatible way, but the old packages will go away at
some point in the future. Look at /usr/share/examples/cvsup for
details.
20000704:
With the new sys/modules/sound/drivers/*, you will need to
set SYSDIR until you do an installworld after July 7th.
20000704:
rc.shutdown and rc will now call the rc.d scripts with start
or stop. This may cause some harmless warnings from older
rc.d scripts that haven't been updated.
20000630:
The libfetch based version of fetch has gone into the tree.
Minor problems may result on some of the less popular sites,
which should be reported to des@freebsd.org.
20000625:
From approximately this date forward, one must have the crypto
system installed in order to build the system and kernel.
While not technically strictly true, one should treat it as
required and grab the crypto bits. If you are grabbing CVS
trees, src-all and cvs-crypto should be treated as if they
were required. You should check with the latest collections
to make sure that these haven't changed.
20000624:
Mark Murray just committed the first parts of a cleanup of
/dev/zero, et al. This is also cleaning up /dev/random.
The entropy is disconnected, so DO NOT USE VERSIONS OF FREEBSD
-CURRENT FROM THIS POINT FORWARD for cryptographic services
until Mark can merge in the fixes to this work in progress.
openssh and openssl should not be used to generate keys from this
date to the completion of the work.
If you must operate at this reduced level of security, add '
options RANDOMDEV' to your kernel or modload the randomdev
module. You may also need to copy a new MAKEDEV to /dev and
recreate the random and urandom devices.
20000622:
The license on the softupdates is now a standard 2 clause
BSD license. You may need to remove your symbolic links
that used to be required when updating.
20000621:
Scott Flatman <sf@aracnet.com> sent in a decent writeup on
the config file update procedure.
http://people.freebsd.org/~imp/config-upd.html
NOTE: LINT is gone. It has been replaced with NOTES. NOTES
isn't buildable.
20000620:
Binutils 2.10 have hit the tree, or will shortly. As soon
as they do, the problem noted in 20000522 will be resolved and
that workaround will no longer be required.
20000615:
phk removed the compatibility creation of wd devices in the
ad driver. If you haven't done so already, you must update
your fstab, etc to use the ad devices instead of the wd
devices.
In addition, you'll need to update your boot blocks to a
more modern version, if you haven't already done so. Modern
here means 4.0 release or newer (although older releases
may work).
20000612:
Peter took an axe to config(8). Besure that you read his mail
on the topic before even thinking about updating. You will
need to create a /boot/device.hints or add a hints directive
to your config file to compile them in statically. The format
of the config file has changed as well. Please see GENERIC or
NEWCARD for examples of the new format.
20000522:
A new set of binutils went into the tree today. Anybody
building a kernel after this point is advised that they need
to rebuild their binutils (or better yet do a
buildworld/installworld) before building a new kernel.
Due to bugs in binutils, using malloc options (eg /etc/malloc.conf
or MALLOC_OPTIONS env var) J will cause ld to dump core. It
is recommended that you don't set this option until the problem
is resolved.
20000513:
The ethernet drivers were all updated to clean up the BPF handling.
20000510:
The problems with boot blocks on the alphas have been corrected.
This will require some care in updating alphas. A new libstand
is requires for the boot blocks to build properly.
20000503:
Recompile all kld modules. Proper version dependency info
is now available.
20000502:
Modules have been disconnected from the buildworld tree and
connected to the kernel building instead.
2000427:
You may need to build gperf
cd /usr/src/gnu/usr.bin/gperf && make depend all install
when upgrading from 4.0 -> current. The build system now uses
an option only in -current.
20000417:
The method that we brand ELF binaries has changed to be more
acceptible to the binutils maintainers. You will need to
rebrand your ELF binaries that aren't native. One problem
binary is the Linux ldconfig. After your make world, but
before you reboot, you'll neeed to issue:
brandelf -t Linux /compat/linux/sbin/ldconfig
if you have Linux compatibility enabled on your machine.
20000320:
If you have really bad/marginal IDE drives, you may find they
don't work well. Use pio mode instead. The easiest way to
cope if you have a problem combination is to add:
/sbin/sysctl -w hw.atamodes=pio,pio,pio,pio
to the start of /etc/rc.conf.
20000319:
The ISA and PCI compatability shims have been connected to the
options COMPAT_OLDISA and COMPAT_OLDPCI. If you are using old
style PCI or ISA drivers (i.e. tx, voxware, etc.) you must
include the appropriate option in your kernel config. Drivers
using the shims should be updated or they won't ship with
5.0-RELEASE, targeted for 2001.
20000318:
We've entered the tradtional post release dumping party.
Large kernel changes are being committed and are in the
works. It is important to keep the systems' klds and kernel
in sync as kernel interfaces and structures are changing.
Before reporting kernel panics, make sure that all modules
that you are loading are up to date.
20000315:
If you are upgrading from an older version of FreeBSD, you
need to update your boot blocks as well. 'disklabel -B ad0'
will do the trick. This isn't critical until you remove your
wd device entries in /dev, at which point your system will not
boot.
20000315:
4.0 RELEASE shipped. Please see the 4.0 UPDATING file for how
to upgrade to 4.0 from 3.x.
COMMON ITEMS:
To build a kernel
-----------------
If you are updating from a prior version of FreeBSD (even one just
a few days old), you should follow this proceedure. With a
/usr/obj tree with a fresh buildworld,
make buildkernel KERNEL=YOUR_KERNEL_HERE
make installkernel KERNEL=YOUR_KERNEL_HERE
To just build a kernel when you know that it won't mess you up
--------------------------------------------------------------
cd src/sys/{i386,alpha}/conf
config KERNEL_NAME_HERE [1]
cd ../../compile/KERNEL_NAME_HERE
make depend
make
make install
[1] If in doubt, -r might help here.
If this fails, go to the "To build a kernel" section.
To rebuild everything and install it on the current system.
-----------------------------------------------------------
make world
To upgrade from 4.x-stable to current
-------------------------------------
make buildworld
make buildkernel KERNEL=YOUR_KERNEL_HERE
make installkernel KERNEL=YOUR_KERNEL_HERE
make installworld
[1]
<reboot>
Make sure that you've read the UPDATING file to understand
the tweaks to various things you need. At this point in the
life cycloe of current, things change often and you are on
your own to cope.
Also, if you are tracking -current, you must be subscribed to
freebsd-current@freebsd.org. Make sure that before you update
your sources that you have read and understood all the recent
messages there. If in doubt, please track -stable which has
much fewer pitfalls.
[1] If you have third party modules, such as vmware, you
should disable them at this point so they don't crash your
system on reboot.
FORMAT:
This file contains a list, in reverse chronologocal order, of major
breakages in tracking -current. Not all things will be listed here,
and it only starts on March 15, 2000. Updating files can found in
previous releases if your system is older than this.
Please filter your entries through Warner Losh (imp@village.org) so
that the style, formatting, etc of this file can be maintained.
$FreeBSD$