Hacker News new | ask | show | jobs
by inferiorhuman 1488 days ago
https://www.freebsd.org/security/#sup

  Under the current support model, each major version’s stable branch
  is explicitly supported for 5 years, while each individual point release
  is only supported for three months after the next point release.
You've got plenty of time for support. These days I only use FreeBSD for homelab stuff but… yeah you can go two ways really. Portsnap + rebuilding your packages to track updates or track an official package server that gets regular updates. Because I don't have to scale this shit out the setup I ended up with was to point pkg(8) at a varnish instance that queries a "latest" repo, and then the jails hit the varnish instance.

Unlike some debian-ish distros I don't think there's any security-update-only repo for ports/packages to track. Meanwhile freebsd-update(8) handles security updates for the base system.
1 comments
just_for_you 1488 days ago
Yeah, I love FreeBSD's base system's release model. It feels like a complete system, and each release is supported for a long time.

Same with systems like Ports, and in particular, NetBSD's pkgsrc. I've personally been using pkgsrc on my MacBook (and sometimes on Linux too) for years, and have really enjoyed using it as a cross-platform system to add my own little packages that'll work across macOS/Linux/NetBSD (I use NetBSD on my Pi). And I have no problems doing upgrades every 3 months, since I want my shiny new software.

So I definitely see and appreciate Ports/pkgsrc's benefits - but I still feel uneasy using stuff like FreeBSD+Ports on non-personal projects, like for projects at work.

link
inferiorhuman 1488 days ago
Until pkg(8) came around ports were one of my least favorite parts of FreeBSD. I like(d) pkgsrc even less.

Part of it was the simplistic support for binary packages that felt entirely like an unwanted afterthought. Compile everything from source just doesn't scale especially if you want to use complex, slow-to-compile projects like gcc or firefox.

The other part is that make(1) is SLOW and simply does not scale to the size of something like the ports tree. It's also a bit tedious to use out of your ports tree and the documentation was kinda meh. There were a number of hacks layered on top that sort of eased the pain (I want to say portupgrade?, I never got into portmaster) but always felt really brittle and things were always getting out of sync. Even pkg(8) is a bit funky (and I don't particularly like the reliance on srv records no matter how elegant a solution it may seem).

> I still feel uneasy using stuff like FreeBSD+Ports on non-personal projects, like for projects at work.

I would never use ports in a production environment without some detailed justification. The binary packages are the way to go. Building your own ports (as in your own software not building your own copy of an existing port) is also a bit of a trial by fire thing involving a lot of hair pulling. Dunno what the update quarterly stuff is about tho, I run pkg update weekly to keep on top of things – but I track the latest repo not the quarterly one.

Honestly one of the few things I miss about Linux is the Debian package ecosystem. But as I learned with fink on OSX it's not just the infrastructure that matters.

link
just_for_you 1488 days ago
>pkg

pkg-ng is indeed a godsend, and I think I just got PTSD thinking about what Ports management was like before it. Currently getting flashbacks to the salad of utilities I used to use from ports-mgmt/.

>make

Yes, the Makefile infrastructure for both Ports/pkgsrc is clunky and slow, and the documentation is also terrible too. Took quite a bit of suffering to learn the dark art of properly authoring packages in pkgsrc.

For what it's worth, there's also the Gentoo Prefix project, but I haven't ever been able to use it because the bootstrap for it has failed every time I tried it on macOS or Linux.

At least for pkgsrc using it is as simple as: $ git clone https://github.com/netbsd/pkgsrc --depth 1 $ cd ~/pkgsrc/bootstrap && ./bootstrap --unprivileged $ cd ~/pkgsrc/misc/tmux && ~/pkg/bin/bmake install $ ~/pkg/bin/tmux

As flawed and janky as pkgsrc is, it has at least worked consistently for me on macOS/Linux for years.

>compiling from source

Yeah, I agree. Compiling everything from source and using it in production is for insane people. Should have clarified that when I said "Ports/pkgsrc", I meant using official binary pacakges, and not necessarily building from source.

>latest and quarterly

The point of quarterly releases is to serve as a base for stable package versions, backported security fixes, and as a chance to fix package runtime/compilation issues before being generally available - something harder to do if you track bleeding-edge packages, where things can shift under people's feet.

It's also useful when building from source, like I do with pkgsrc for macOS, because lots of random things will break if there's too large of a rift between what's installed and what's in bleeding-edge pkgsrc. In these cases, you'd usually have to do mass rebuilds, and/or deal with dependency hell (eg, pkg X you have installed needs need <=libsomething-1336, but pkg Y in pkgsrc needs >=libsomething-1337).

I use the packages installed via pkgsrc pretty much daily on my MacBook, and it'd be really annoying having things possibly breaking after an update just a week apart, especially if I'm in a rush and need to get something done for work. So using a quarterly branch is useful, since it's a cadence I can stomach, and there's a higher likelihood that the devs had more time to polish the packages in that release.

>Fink

Never heard of this before. I'll give it a gander sometime soon.

link
inferiorhuman 1487 days ago
Were it my responsibility I wouldn't worry too much about using FreeBSD binary packages in production. The way ports are set up, typically you'd have to go out of your way to install a bleeding edge version of something. If you're relying on something (e.g. ruby, python) with a bunch of commonly used versions you can alias the default to your preferred version. This may make audit compliance more difficult but not by much (especially considering how laborious compliance is anyhow).

At this point my biggest qualms about FreeBSD in production aren't really around the ports themselves but more around how much stuff has become Linux only (e.g. dockerify everything).

At megacorp we had to use an old version of CentOS (ugh) and the whole "keep updating ancient versions of third party software" thing came with plenty of caveats and frustrations. Regardless of the operating system it's not an approach I'd recommend.

Edit: Fink is the OSX port of dpkg more or less.

link