mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-24 09:13:37 +01:00
319 lines
12 KiB
Plaintext
319 lines
12 KiB
Plaintext
Updating Information for FreeBSD current users
|
|
|
|
This file is maintained by imp@village.org. Please send new entries
|
|
directly to him. See end of file for further details. For commonly
|
|
done items, please see the end of the file. Search for 'COMMON
|
|
ITEMS:'
|
|
|
|
20000812:
|
|
suidperl is now always built and installed on the system, but
|
|
with permissions of 511. If you have applications that use
|
|
this program, you are now required to add ENABLE_SUIDPERL=true
|
|
to /etc/make.conf. If you forget to do this,
|
|
chmod 4511 /usr/bin/suidperl
|
|
will fix this until the next build.
|
|
|
|
20000812:
|
|
sendmail has been updated from 8.9.3 to 8.11.0. Some of the more
|
|
visible changes that may immediately affect your configuration
|
|
include:
|
|
- New default file locations from src/contrib/sendmail/cf/README
|
|
- newaliases limited to root and trusted users
|
|
- MSA port (587) turned on by default
|
|
- New queue file naming system so can't go from 8.11 -> 8.9
|
|
- FEATURE(`rbl') renamed to FEATURE(`dnsbl')
|
|
- FEATURE(`nullclient') is more full featured
|
|
- FEATURE(`nouucp') requires an argument: `reject' or `nospecial'
|
|
- mail.local FreeBSD-only -b option changed to -B
|
|
- See src/contrib/sendmail/RELEASE_NOTES for more info
|
|
|
|
20000810:
|
|
suidperl (aka sperl) is no longer build by default. You must
|
|
specifically define BUILD_SUIDPERL to "true" for it to be build.
|
|
Furthermore, we recommend that you remove /usr/bin/sperl* and
|
|
/usr/bin/suidperl files from your system unless you have a
|
|
specific use for it.
|
|
|
|
20000729:
|
|
Networking defaults have been tightened. Anybody upgrading
|
|
/etc/defaults/rc.conf needs to add the following lines to
|
|
/etc/rc.conf if they want to have the same setup
|
|
afterwards (unless the variables already are set, of course):
|
|
# Enable network daemons for user convenience.
|
|
inetd_enable="YES"
|
|
portmap_enable="YES"
|
|
sendmail_enable="YES"
|
|
|
|
20000728:
|
|
If you have null_load="YES" in your /boot/loader.conf, you
|
|
will need to change that to nullfs_load="YES".
|
|
|
|
20000728:
|
|
The "installkernel" target has changed slightly. Now even if
|
|
you override KERNEL e.g. 'make installkernel KERNEL=MYKERNEL'
|
|
it will install the MYKERNEL file (built with the buildkernel
|
|
target) as /kernel rather than /MYKERNEL. Those who have
|
|
updated their /boot/loader.conf files to point to /MYKERNEL
|
|
should remove that entry or perform manual rename of /kernel
|
|
to /MYKERNEL.
|
|
|
|
20000711:
|
|
If you use CVSUP or CTM to get CVS trees, AND you used to get
|
|
the old crypto files from internat.freebsd.org AND you check
|
|
out files from the CVS tree with the cvs command, please read
|
|
http://people.freebsd.org/~imp/internat.txt
|
|
for details on potential problems that you might have and how
|
|
to get around them.
|
|
|
|
If you are merely a mirror, or don't answer yes to each of the
|
|
clauses above, you needn't worry.
|
|
|
|
20000711:
|
|
/etc/security has been updated to print the inode number of
|
|
setuid programs that have changed. You will see a large spike
|
|
in the number of changed programs the first time when you run
|
|
mergemaster to get a new /etc/security.
|
|
|
|
20000710:
|
|
/dev/random now has good entropy collection (from the keyboard
|
|
and sysmouse drivers). Please ensure that either `options
|
|
RANDOMDEV' is present in your kernel config file or that
|
|
`randomdev_load="YES"' is in your /boot/loader.conf. If you do
|
|
not have the /dev/random driver, OpenSSL (and consequently
|
|
lots of crypto tools (like SSH)) will fail with strange
|
|
errors. (see below, 20000624).
|
|
|
|
FreeBSD-current is safe again to run Crypto.
|
|
|
|
20000709:
|
|
phk made the malloc default options AJ. This may slow things
|
|
down and uncover other latent bugs in the code. If you need to
|
|
run at full speed, you can disable this by doing the following:
|
|
ln -s aj /etc/malloc.conf
|
|
|
|
20000706:
|
|
libftpio's version was accidentally bumped a few days ago. This
|
|
has been corrected. You may need to remove /usr/lib/libftpio.so.6
|
|
before doing your next buildworld/installworld pair. It certainly
|
|
won't hurt to remove it before the update proceedure. It will
|
|
break fetch until a new one is built, but ftp can be used in the
|
|
interrum if needed.
|
|
|
|
20000705:
|
|
The crypto packages have changed for the cvsup. This has been done
|
|
in a backward compatible way, but the old packages will go away at
|
|
some point in the future. Look at /usr/share/examples/cvsup for
|
|
details.
|
|
|
|
20000704:
|
|
With the new sys/modules/sound/drivers/*, you will need to
|
|
set SYSDIR until you do an installworld after July 7th.
|
|
|
|
20000704:
|
|
rc.shutdown and rc will now call the rc.d scripts with start
|
|
or stop. This may cause some harmless warnings from older
|
|
rc.d scripts that haven't been updated.
|
|
|
|
20000630:
|
|
The libfetch based version of fetch has gone into the tree.
|
|
Minor problems may result on some of the less popular sites,
|
|
which should be reported to des@freebsd.org.
|
|
|
|
20000625:
|
|
From approximately this date forward, one must have the crypto
|
|
system installed in order to build the system and kernel.
|
|
While not technically strictly true, one should treat it as
|
|
required and grab the crypto bits. If you are grabbing CVS
|
|
trees, src-all and cvs-crypto should be treated as if they
|
|
were required. You should check with the latest collections
|
|
to make sure that these haven't changed.
|
|
|
|
20000624:
|
|
Mark Murray just committed the first parts of a cleanup of
|
|
/dev/zero, et al. This is also cleaning up /dev/random.
|
|
The entropy is disconnected, so DO NOT USE VERSIONS OF FREEBSD
|
|
-CURRENT FROM THIS POINT FORWARD for cryptographic services
|
|
until Mark can merge in the fixes to this work in progress.
|
|
openssh and openssl should not be used to generate keys from this
|
|
date to the completion of the work.
|
|
|
|
If you must operate at this reduced level of security, add '
|
|
options RANDOMDEV' to your kernel or modload the randomdev
|
|
module. You may also need to copy a new MAKEDEV to /dev and
|
|
recreate the random and urandom devices.
|
|
|
|
20000622:
|
|
The license on the softupdates is now a standard 2 clause
|
|
BSD license. You may need to remove your symbolic links
|
|
that used to be required when updating.
|
|
|
|
20000621:
|
|
Scott Flatman <sf@aracnet.com> sent in a decent writeup on
|
|
the config file update procedure.
|
|
http://people.freebsd.org/~imp/config-upd.html
|
|
NOTE: LINT is gone. It has been replaced with NOTES. NOTES
|
|
isn't buildable.
|
|
|
|
20000620:
|
|
Binutils 2.10 have hit the tree, or will shortly. As soon
|
|
as they do, the problem noted in 20000522 will be resolved and
|
|
that workaround will no longer be required.
|
|
|
|
20000615:
|
|
phk removed the compatibility creation of wd devices in the
|
|
ad driver. If you haven't done so already, you must update
|
|
your fstab, etc to use the ad devices instead of the wd
|
|
devices.
|
|
|
|
In addition, you'll need to update your boot blocks to a
|
|
more modern version, if you haven't already done so. Modern
|
|
here means 4.0 release or newer (although older releases
|
|
may work).
|
|
|
|
20000612:
|
|
Peter took an axe to config(8). Besure that you read his mail
|
|
on the topic before even thinking about updating. You will
|
|
need to create a /boot/device.hints or add a hints directive
|
|
to your config file to compile them in statically. The format
|
|
of the config file has changed as well. Please see GENERIC or
|
|
NEWCARD for examples of the new format.
|
|
|
|
20000522:
|
|
A new set of binutils went into the tree today. Anybody
|
|
building a kernel after this point is advised that they need
|
|
to rebuild their binutils (or better yet do a
|
|
buildworld/installworld) before building a new kernel.
|
|
|
|
Due to bugs in binutils, using malloc options (eg /etc/malloc.conf
|
|
or MALLOC_OPTIONS env var) J will cause ld to dump core. It
|
|
is recommended that you don't set this option until the problem
|
|
is resolved.
|
|
|
|
20000513:
|
|
The ethernet drivers were all updated to clean up the BPF handling.
|
|
|
|
20000510:
|
|
The problems with boot blocks on the alphas have been corrected.
|
|
This will require some care in updating alphas. A new libstand
|
|
is requires for the boot blocks to build properly.
|
|
|
|
20000503:
|
|
Recompile all kld modules. Proper version dependency info
|
|
is now available.
|
|
|
|
20000502:
|
|
Modules have been disconnected from the buildworld tree and
|
|
connected to the kernel building instead.
|
|
|
|
2000427:
|
|
You may need to build gperf
|
|
cd /usr/src/gnu/usr.bin/gperf && make depend all install
|
|
when upgrading from 4.0 -> current. The build system now uses
|
|
an option only in -current.
|
|
|
|
20000417:
|
|
The method that we brand ELF binaries has changed to be more
|
|
acceptible to the binutils maintainers. You will need to
|
|
rebrand your ELF binaries that aren't native. One problem
|
|
binary is the Linux ldconfig. After your make world, but
|
|
before you reboot, you'll neeed to issue:
|
|
brandelf -t Linux /compat/linux/sbin/ldconfig
|
|
if you have Linux compatibility enabled on your machine.
|
|
|
|
20000320:
|
|
If you have really bad/marginal IDE drives, you may find they
|
|
don't work well. Use pio mode instead. The easiest way to
|
|
cope if you have a problem combination is to add:
|
|
/sbin/sysctl -w hw.atamodes=pio,pio,pio,pio
|
|
to the start of /etc/rc.conf.
|
|
|
|
20000319:
|
|
The ISA and PCI compatability shims have been connected to the
|
|
options COMPAT_OLDISA and COMPAT_OLDPCI. If you are using old
|
|
style PCI or ISA drivers (i.e. tx, voxware, etc.) you must
|
|
include the appropriate option in your kernel config. Drivers
|
|
using the shims should be updated or they won't ship with
|
|
5.0-RELEASE, targeted for 2001.
|
|
|
|
20000318:
|
|
We've entered the tradtional post release dumping party.
|
|
Large kernel changes are being committed and are in the
|
|
works. It is important to keep the systems' klds and kernel
|
|
in sync as kernel interfaces and structures are changing.
|
|
Before reporting kernel panics, make sure that all modules
|
|
that you are loading are up to date.
|
|
|
|
20000315:
|
|
If you are upgrading from an older version of FreeBSD, you
|
|
need to update your boot blocks as well. 'disklabel -B ad0'
|
|
will do the trick. This isn't critical until you remove your
|
|
wd device entries in /dev, at which point your system will not
|
|
boot.
|
|
|
|
20000315:
|
|
4.0 RELEASE shipped. Please see the 4.0 UPDATING file for how
|
|
to upgrade to 4.0 from 3.x.
|
|
|
|
COMMON ITEMS:
|
|
|
|
To build a kernel
|
|
-----------------
|
|
If you are updating from a prior version of FreeBSD (even one just
|
|
a few days old), you should follow this proceedure. With a
|
|
/usr/obj tree with a fresh buildworld,
|
|
make buildkernel KERNEL=YOUR_KERNEL_HERE
|
|
make installkernel KERNEL=YOUR_KERNEL_HERE
|
|
|
|
To just build a kernel when you know that it won't mess you up
|
|
--------------------------------------------------------------
|
|
cd src/sys/{i386,alpha}/conf
|
|
config KERNEL_NAME_HERE [1]
|
|
cd ../../compile/KERNEL_NAME_HERE
|
|
make depend
|
|
make
|
|
make install
|
|
|
|
[1] If in doubt, -r might help here.
|
|
|
|
If this fails, go to the "To build a kernel" section.
|
|
|
|
To rebuild everything and install it on the current system.
|
|
-----------------------------------------------------------
|
|
make world
|
|
|
|
To upgrade from 4.x-stable to current
|
|
-------------------------------------
|
|
make buildworld
|
|
make buildkernel KERNEL=YOUR_KERNEL_HERE
|
|
make installkernel KERNEL=YOUR_KERNEL_HERE
|
|
make installworld
|
|
[1]
|
|
<reboot>
|
|
|
|
Make sure that you've read the UPDATING file to understand
|
|
the tweaks to various things you need. At this point in the
|
|
life cycloe of current, things change often and you are on
|
|
your own to cope.
|
|
|
|
Also, if you are tracking -current, you must be subscribed to
|
|
freebsd-current@freebsd.org. Make sure that before you update
|
|
your sources that you have read and understood all the recent
|
|
messages there. If in doubt, please track -stable which has
|
|
much fewer pitfalls.
|
|
|
|
[1] If you have third party modules, such as vmware, you
|
|
should disable them at this point so they don't crash your
|
|
system on reboot.
|
|
|
|
FORMAT:
|
|
|
|
This file contains a list, in reverse chronologocal order, of major
|
|
breakages in tracking -current. Not all things will be listed here,
|
|
and it only starts on March 15, 2000. Updating files can found in
|
|
previous releases if your system is older than this.
|
|
|
|
Please filter your entries through Warner Losh (imp@village.org) so
|
|
that the style, formatting, etc of this file can be maintained.
|
|
|
|
$FreeBSD$
|