Solved Where are the security patches stored ?

I want to re-build my kernel for 10.1-p35 as the user land now is on -p40. Before I do so I would like to better understand some mechanics of FreeBSD:

I am using freeBSD-update cron & install to keep my system up-to-date, and also portsnap fetch update to keep all installed ports updated. I also have downloaded the source a couple of months ago with svnlit.

a) Does freebsd-update also keep the source in sync ? Assume not, as the description says Generic kernel and ports only.

b) When I now use svnlit update to get the source of base in sync with Release-10.1.0 what is about the 35 patches/patchlevels ? Are these security updates also regular update the source on FreeBSD, so that Release/10.1.0 is real Release/10.1.35 ?

c) if under b) the patches are not part of the source and so no svnlit update is also bringing the patches, where do I get them ?

Or do I need at the end run after all re-builds are done a freebsd-update to get the latest patcheds applied ?
a) It does if you tell it to via the configuration file freebsd-update.conf(5). Do note that this method of tracking the source code updates will not give you copy of the sources that you could update with SVN, the two methods are mutually exclusive.

b) The release paths in the repository are never updated, they are what are known in the revision control lingo as "tags". What you should be following is the releng branch to get security and errata updates, for example for 11.0-RELEASE the correct branch is releng/11.0.

c) The patches are already applied on the appropriate repository paths. You'll still see links to the patch files as part of the security advisories but those are only for people who want to apply the patches manually, I doubt you'll find many of them.

You have basically two choices:

- Leave the updates completely to freebsd-update(8) and let it update your system with binary updates. Keeping the system sources up to date is optional.

- Use the method of your choice to keep the system sources at /usr/src up to date and use the source update/upgrade method as documented in the handbook:
... What you should be following is the releng branch to get security and errata updates ...

Ahhh !!! I missed that info. The handbook makes statements about Release, Stable and Current. Maybe I overlooked it, but I never have seen a statement about the releng branch.

I also just verified my freebsd-update.conf(5) and had already src included. So I already have the newest source "on board". Will give the complication a try tomorrow

Thanks and a virtual :beer:
for your help and explanation