One major difference that I found between Linux and FreeBSD || How frequently do you install updates ?

john_rambo

john_rambo

After moving from Arch Linux to FreeBSD 13.0-RELEASE-p7 one major difference that I found was the fact that under all Linux distros there is only one update mechanism which updates both the base and user land packages. For example under Debian/Ubuntu you need to run only sudo apt update && sudo apt upgrade -y and that's it. Both the base and user installed packages are updated. But under FreeBSD there's freebsd-update fetch install for the base and pkg update && pkg upgrade for the user installed packages.

I know it sounds crazy but I run freebsd-update fetch install and pkg update && pkg upgrade everyday without a miss.

So I am curious. How frequently do you install updates ?
Also why these 2 separate ways ? Why not only I command for the base and userland ?
 
john_rambo said:
So I am curious. How frequently do you install updates ?
Click to expand...
Sign up for the freebsd-announce mailing list. Then you'll get notified if there are patches for the base OS. If there are no patches there's no reason to run freebsd-update(8).

As for packages, keep an eye on pkg-audit(8). With the quarterly packages (set as default) there's not really a reason to update unless pkg-audit(8) complains about something. Do at least a package upgrade once every three months when the quarterly repositories are updated.
 
SirDice
Okay I will sign up for the freebsd-announce mailing lists.

But I don't understand the every three months policy. Within this short perioud of using FreeBSD I have received new updates after 15 days. I didn't note down the exact package names but I have received new package updates in 15 days.
 
john_rambo said:
under all Linux distros there is only one update mechanism which updates both the base and user land packages.
Click to expand...
There is no "base" in Linux. Linux is just a kernel, calling a whole OS "Linux" is sloppy, but commonplace. As a consequence you need a "distribution" to use "Linux", and these distributions use the same packaging for any software component (including Linux, the kernel, itself).
john_rambo said:
I know it sounds crazy but I run freebsd-update fetch install and pkg update && pkg upgrade everyday without a miss.
Click to expand...
For base: You can check the status on the FreeBSD homepage or read the -announce mailinglist. I only update base when I see there's a SA or EN affecting my system.

For packages: It depends very much on what you use. With "latest" packages, you'll have upgrades all the time, with "quarterly" you'll only get security updates. Checking every day *might* make sense, it just depends...
john_rambo said:
Also why these 2 separate ways ? Why not only I command for the base and userland ?
Click to expand...
This distinction is wrong, it's "base and 3rd-party". Base is a complete OS, consisting of kernel and userland.

Base follows a release management scheme, with supported releases that just receive security updates and fixes for severe bugs.

Ports/Packages in FreeBSD are "rolling release", you can continuously follow their current state or use quarterly snapshots that only get updated for security fixes etc.
 
SirDice said:
As for packages, keep an eye on pkg-audit(8).
Click to expand...
This is what I am getting

Code: 
# pkg audit
p7zip-16.02_3 is vulnerable:
  p7zip -- usage of uninitialized memory
  CVE: CVE-2018-10115
  WWW: https://vuxml.FreeBSD.org/freebsd/942fff11-5ac4-11ec-89ea-c85b76ce9b5a.html

1 problem(s) in 1 installed package(s) found.

What should I do ?
 
john_rambo said:
under all Linux distros there is only one update mechanism which updates both the base and user land packages
Click to expand...
because there is no "base" for linux. Linux is a kernel - nothing more, which is the reason why linux has/needs "distros" in the first place. Everything besides the kernel (even the default C library!) is up to the maintainers of a distro to cobble together and that's also why most things feel quite 'hacky' and inconsistent compared to FreeBSD, which is a complete, orchestrated and fully featured OS ('base') which can be extended by additional (3rd party) software from ports/packages. Both (base / 3rd party) are also cleanly separated with everything* that isn't part of the OS usually going to /usr
The base os is always updated via freebsd-update, all additional and manually installed software is either updated via pkg or by rebuilding the port(s). This is IMHO much more convenient and sane as you always have a consistent and working base OS (as long as you are following one of the official branches and don't custom build the base system) and then can add whatever you like (pkg) even with your own options (ports).

Regarding the question about update frequencies:
It depends.
On a system that isn't critical and/or accessible to the outside world (or anyone else but me), I usually follow quarterly and update pkgs every once in a while and the base system whenever I feel the urge to do that (or the running release goes/went EOL).
For critical/edge systems that are publicly accessible or used/accessible by many people, one should follow at least the security mailing list and act whenever there is something that might affect those systems.
For both this can lead to either having to update several times in one week or you don't need to update for multiple weeks or months at all.
 
john_rambo said:
What should I do ?
Click to expand...
Uninstall it. It's deprecated and has been removed from the ports tree already.

Code: 
DEPRECATED=	Unmaintained for years and has known vulnerabilities
EXPIRATION_DATE=2022-01-01
 
It's a fairly low volume mailing list. You only get official announcements about new versions, security/errata issues and other important notifications.
 
john_rambo said:
What should I do ?
Click to expand...
In general: Check whether there's an update. If there's none, either uninstall it or wait for an update (your decision). Of course, for a deprecated package, just uninstall it.

BTW, this clear distinction between base and ports is a huge benefit for me, it enables something I can't have with any Linux dist: A rock-solid and well-tested base system going through release engineering (like e.g. Debian's "stable" does), combined with "bleeding-edge" third-party software. I wrote a text about my reasons to use FreeBSD quite some time ago: https://sekrit.de/webdocs/freebsd/advocacy.html
 
For me it's one of the top main reasons why I use FreeBSD:
NO AUTOMATIC UPDATES by default

I really hate it, if there eventually popping up unasked windows, telling you everyday second day, sometimes more often "new updates are available" and then keep nagging you until you've installed them (with reboot) or just reboot all by themselves; always extremly important, very urgent and always security issues..."if you do not install this update immediately your computer will die a horrific death!" - and very likely something is changed in the look and feel, or your settings are resetted to default... because patches, updates und upgrades are wildely mixed up.
One cannot imagine how I hate that.

FreeBSD is very flexible and extremely modular, I decide, what I want, when I want it, how I want it.

The second benefit of FreeBSD against Linux is:
Installation/updates are not only very easy, either by ports or pkg, but it works!
So many times I've tried to install something under Linux...always the same:
...grind...grind....grind...grind...Warning - Warning - Warning - Error - Error - Error - Aborted. :rude:

And then there a different packaging tools depending on what Linux... in fact that's what a Linux distri is primarly all about:
Which packaging tool you're using.

Do not underestimate the next point:
Under FreeBSD I also can downgrade.
There are situations where for what reasons ever the new version is not working properly, or something else is not working anymore....
On other systems you'll just face the decision: wait for other updates (and hope it will work then) or do a complete new reinstallation of your complete system - execpt the not wanted to be updated package 😤
(okay, I admit: I waisted way too much time with Windows... 😂)
On FreeBSD I just say: downgrade, and I can stick with my old versions until there are better (or all) updates.
Because FreeBSD seeks to have consistent versions of system and packages.
Under Linux I often have the feeling there are many different vast mobs of anarchists and anybody does what he likes, when he's in the mood, or not - chaos!

However, one may discuss about, what software needs to be updated and who wants to stay with obsolete version or even what obsolete is.
In my opinion anything with internetconnection needs to be always at the newest version available, but for the rest: keep your touchy fingers off my stuff!
For example for some purposes I use xfig. A great tool. No updates since... 1873 a.D. ..? Doesn't matter. It's perfect the way it is, has not internetconnection, so what I need updates for?
But however who sees it, under FreeBSD after all it is not my responsibilty what happens on my machine only, but it's also my decision.

I am the master over my slave the machine. Not vice versa!

Sorry for becoming a bit off topic, but I'm always a little bit worried when people compare FreeBSD with other systems, and of course this wasn't the actual point here, but I just wanted to emphasize:
"Don't try to change FreeBSD in some kind of another Linux. Let it be as is is!"
 
Profighost said:
I really hate it, if there eventually popping up unasked windows, telling you everyday second day, sometimes more often "new updates are available" and then keep nagging you until you've installed them
Click to expand...
There are some distros which have implement automatic updates. Auttomatic updates in these distros doesn't only mean notifications. If I remember correctly you can configure Ubuntu to download and install security updates automatically which I never enabled.

But the notifications about availability of new updates is something I actually like. It helps lazy users who don't check for updates in a timely manner maintain their systems.

GhostBSD has this feature.
 
Talking about automation, there's another thing that's IMHO very relevant:

Many "Linux" package managers attempt to automatically restart services/daemons on upgrades. FreeBSD's pkg tool does nothing like that. And IMHO, that's a good thing, you don't want a service to go down "whenever". It's your job as an administrator to restart services as appropriate.
 
sko said:
That's what the daily/weekly (security) run outputs are for. You should adjust them to your needs and forward mail to root to a monitored mailbox to keep track of those outputs.
Click to expand...
In the daily security email you can find these for example:
Code: 
Checking for packages with security vulnerabilities:
Database fetched: Sat Feb 19 03:31:57 UTC 2022
mariadb104-server-10.4.22
mariadb104-client-10.4.22
(Don't worry I have since updated, this is an older message)
 
john_rambo said:
But the notifications about availability of new updates is something I actually like. It helps lazy users who don't check for updates in a timely manner maintain their systems.
Click to expand...
At its core FreeBSD is a server OS, and targeted at experienced administrators which want to be in control over their system, and not to get plagued with tons of update notifications.

Aside that - and this is interesting that nobody has mentioned it yet - there's periodic security (periodic(8)).

This can be enabled, will run once a day and will generate an email to you if some package has tainted security and therefore should be updated.
 
hardworkingnewbie said:
At its core FreeBSD is a server OS
Click to expand...
It isn't, it's a general purpose OS. Read the very first paragraph on freebsd.org ;)

I guess it's the slogan "the power to serve" that lead to a lot of confusion about this ... it just refers to the popularity of FreeBSD for servers. BSD heritage goes back to times when the distinction was meaningless because you just used (serial) terminals.

hardworkingnewbie said:
and targeted at experienced administrators which want to be in control over their system, and not to get plagued with tons of update notifications.
Click to expand...
Of course, this is still true ;)
 
I'd like to complement hardworking newbie's post by recommend to subscribe to one or another mailinglist.
You'll receive informations about bugs, problems, and especially about security issues quickly and up to date.
 
To explain a bit more about my previous post:
  • For BSD "heritage", of course, back then, everything was technically a "server" if it wasn't a terminal. The concept of "fat clients" didn't exist yet.
  • It might even be true that the server usecase is still the "most important" one for FreeBSD, e.g. some parameters are, by default, tuned to workloads that are more typical for a server.
  • But: The design of the system is general-purpose, it can support any kind of workload. Dedicated "server" systems at least have a clear "mission statement" (like, Windows Server xxx), or simply can't support any desktop/workstation workloads, as was the case for e.g. Novell Netware.
 
Periodic is enabled by default, the default config is to try and send email to local root account.
If you look in /etc/defaults/periodic.conf you find lots of good tunables that you put in /etc/periodic.conf (same concept as /etc/defaults/rc.conf and /etc/rc.conf).
I configure things so that instead of email the output goes to log files, simply because it's more convienient to me.

But circling back to the OP: frequency of updates vs stability of the system is always a tradeoff. We've seen/heard the "Windows Update" that requires 12 reboots before it's done or the update that breaks your system. Linux distros sometimes wind up in update chain where you wind up updating 90% of the system. Sometimes all the updates you wind up with maybe new security issues, or something that doesn't work anymore.

I agree with others on preferring the default behavior of the RELEASE branches (including packages), it gives me a level of confidence in the system, smaller less frequent changes make it easier to understand why something changed.
 
It kinda surprises me that no Linux distros have taken made concept of base/3rd-party-packages more concrete.
Every Linux distro I have used seems to have some loose concept of a "base", it's what you got when you installed the system. It might "just" be a collection of third party packages "cobbled together" with the kernel - but that's not so different to FreeBSD where the project pulls in third party packages such as OpenZFS.

I think some Linux distro could benefit from the separation of "here is what I gave you when you installed the system" and "here's the stuff that you've done to the system post-install". Of course FreeBSD has the upper hand in tying the base userland utilities to the kernel, but as a user one of the obvious big wins this separation brings to me is that I can see how I've modified the system (in terms of installed software, and configuration if I use /usr/local/etc) and with ports-mgmt/pkg I can look up what I have explicitly installed vs what has been installed as dependencies.
 
You must log in or register to reply here.
Back
Top