Binary Security Updates for FreeBSD -- over 100,000 served!

FreeBSD Update is a system for automatically building, distributing, fetching, and applying binary security updates for FreeBSD. This makes it possible to easily track the FreeBSD security branches without the need for fetching the source tree and recompiling (except on the machine building the updates, of course). Updates are cryptographically signed; they are also distributed as binary diffs using my binary diff tool, which dramatically reduces the bandwidth used.

NOTE: This page concerns the original FreeBSD Update (version 1.x) for which the client code was distributed via the FreeBSD ports tree and for which I build binary updates for i386 only. Starting with FreeBSD 6.2, a completely new version of FreeBSD Update is distributed in the FreeBSD base system and updates are being built by the FreeBSD Security Team on hardware donated to the FreeBSD project.

Note to Google users: If you arrived here by searching for "update ports freebsd" or something similar, you probably want portsnap, my utility for ports tree updating.

FreeBSD Update is designed for updating systems which have started with a binary install of an official FreeBSD RELEASE, and which have not had any files recompiled locally.

Prior to FreeBSD Update 1.4, if any files have been modified (or recompiled) locally, they will be silently ignored. They will not be updated. If you have recompiled any part of the FreeBSD world locally, make sure you're not running a pre-1.4 version of FreeBSD Update.

FreeBSD Update 1.4 will complain about files which have been locally modified. It still can't update them; but it will print a warning message to alert you to the fact that those files may have security issues which FreeBSD Update is not patching.

FreeBSD Update 1.5 adds support for updating systems which have had files recompiled locally. To use this, you must know which "distribution branch" your system has; on FreeBSD 4.x, these are "crypto", "nocrypto", "krb4", and "krb5". These correspond to the default, NOCRYPT, MAKE_KERBEROS4, and MAKE_KERBEROS5 options in make.conf. Read the included manual page for details about how to use this option. Be aware that FreeBSD Update cannot distinguish between intentionally modified files and those which have merely been recompiled. If you use this option, make sure you read the list of files shown before installing them.

Version 1.6 of the client (update fetching and applying) code is available from the FreeBSD ports tree as security/freebsd-update. I used to have a link to the tarball here, but lots of people managed to install it wrong; so I'm not going to link to it. The ports tree will set it up properly; take advantage of it. (If you just want to look at the code, rather than wanting to install it... go look in the ports tree.)

I am currently building updates for all branches supported by the FreeBSD Security Team, i.e. 4.11-RELEASE, 5.5-RELEASE, 6.0-RELEASE, and 6.1-RELEASE.

In the past I have also built updates for 4.7-RELEASE, 4.8-RELEASE, 4.9-RELEASE, 4.10-RELEASE, 5.0-RELEASE, 5.1-RELEASE, 5.2.1-RELEASE, 5.3-RELEASE, and 5.4-RELEASE; if you run FreeBSD Update on a system with one of these versions, it will download and install all the security updates up to the point when those releases ceased to be supported by the security team. If you are running such an old release, I strongly recommend that you upgrade your old FreeBSD 4.x system FreeBSD 4.11 or upgrade your old FreeBSD 5.x system to FreeBSD 6.x.

Thanks to all the donors who contributed to allow me to purchase the system I'm using the build these updates; in particular, BSD Mall and the readership of slashdot.jp made large contributions.

I presented a paper about this at BSDCon'03; the paper is available here in postscript, pdf, and HTML formats.