Running ports and packages on a patched-release of OpenBSD

Tags: openbsd

This post is old and way out of date. Now that the OpenBSD project provides binary updates for the most recent release much of the detail is now completely unnecessary

If you are using ports or packages on an OpenBSD -release or -stable system you ought to know how to install security and stability fixes. This post explains how.

For the purpose of this article I assume that the reader is running an OpenBSD -release or -stable system rather than -current. Follow this link for an explanation of the different “flavors” of OpenBSD that are available.

Installing additional software

Whilst OpenBSD ships with a more integrated and complete set of tools than many barebones Linux distros, you probably will need to use software not included in the base system eventually. While a full explanation of software management is beyond the scope of this article, generally a new software package and all its unmet dependencies can be installed on OpenBSD as easily as typing pkg_add -iv PackageName (assuming that you have set your PKG_PATH variable appropriately). Specifying the -iv options ensures that the command is executed in interactive mode with verbose output. A full explanation of the package tools that ship with the base system is presented in the FAQ. An excellent tutorial on using ports and packages has been produced by the good people cranking out the BSD Now podcast. The post you are reading borrows liberally from these sources.

Using binary packages as outlined above is the recommended approach for installing additional software. Packages offer a quick, easy and secure way of extending the capabilities of your system. A set of binary packages are built for each OpenBSD release and are available on a release CD or from one of the mirror sites. Alternatively, you can build a port but this is typically less convenient, takes longer and is more prone to error. The objective of building a port is to build a binary package from the source code. Scripts which automate the process of acquiring source code and compiling it are provided in the ports tree. Packages on a release CD or mirror essentially are ports that the developers have compiled for you, to save you the hassle of doing it yourself.

Keeping packages up to date

There are well-documented ways of keeping your OpenBSD base system up to date, but what happens if a security or stability fix is released for additional software that you have installed using packages (or ports)? Well, in theory you can use the package tools to upgrade binary packages to the updated version but the development team doesn’t actually recompile and release updated packages suitable for a -release or -stable system. My understanding is that they don’t have the resources to do this and it isn’t really a priority anyway. However, the developers do provide source code patches which fix security problems and they do release snapshots with binary packages of the current development branch (-current):

“…security updates for various applications are committed to the ports tree as soon as possible, and corresponding package security updates are made available as snapshots for -current”

What to do? Sure, you could run -current, but that generally isn’t recommended unless you know what you are doing.

Trust someone else?

One option is to trust someone else - in this case a UK company called m:tier - to do all the hard work for you. M:tier take the source code patches, compile the relevant software and make it freely available (there is a premium service that you can pay for…). M:tier even provide a handy tool called openup to the automate this process. I’ve used their free service on a test box, and am perfectly satisfied. More details are available at This approach would probably suit you if you are looking for something equivalent to a typical Linux package management tool such as pacman, apt-get or yum in order to update your box by issuing a single command in a terminal.

The do-it-yourself option: for the purist…

I typically opt for a more self-reliant option on my production boxes…

First of all, I handle updates of the base system as described on the OpenBSD errata page for the -release that I am running. (An alternative would be to track -stable).

Then, I track the -stable ports tree rather than sticking with the ‘frozen’ ports tree made available with the release. If any of my packages are out of date I simply rebuild them from ports: dead easy. As the package was built for the release and will have recieved, at most, minor patches it should build from source with minimal hassle.

(Perhaps I’m just a bit dimmer than the average OpenBSD user? It took me quite a while to realise that I could track -stable ports on a patched -release system.)

Ok, I said it’s easy to do, but how does one actually go about doing it?

First of all you need a copy of the ports tree:

# cd /usr 
# cvs -qd get -rOPENBSD_`uname -r | sed 's/\./_/'` -P ports

Done. Note: there may be a CVS mirror closer to where you live. How to keep it your ports tree up to date? Periodically run:

# cd /usr/ports 
# cvs -d -q up -rOPENBSD_`uname -r | sed 's/\./_/'` -Pd

Next time around, you might be able to update your ports tree with…

# cvs -q up -rOPENBSD_`uname -r | sed 's/\./_/'` -Pd

…but I don’t think this will survive a reboot.

Bear in mind that it can take a little while to update the tree - there might not be much to see for a couple of minutes. The above commands, taken from here, call uname -r to check the version of OpenBSD you are are running, and the piped sed command reformats the version string and passes it into the cvs command so that it is consistent with the syntax set out in the relevant FAQ entry. This means that it should work regardless of which release of OpenBSD you are using. If you are running the 5.6 release and living in the UK you could just this:

# cd /usr/ports # cvs -d -q up -rOPENBSD_5_6 -Pd

and therefter:

# cvs -q up -rOPENBSD_5_6 -Pd

[edit: I got the second command to work by exporting the CVSROOT variable for the CVS mirror and adding the export command to my .profile file for my shell]

The output tells you what files have been updated in the ports tree. Typically you will only have a subset of these installed on your system. There is a helpful script available in the ports tree that can be used to check whether any of your installed ports are actually out of date:

# /usr/ports/infrastructure/bin/out-of-date

Run this each time you update your ports tree. The script also tells you if any of your installed packages are out of date. This is excellent! It means that even if you installed something with packages initially, you will know to build a port to replace the out of date package, if necessary.

To upgrade a port or package; cd into the relevant directory for the package in the ports tree, for example:

# cd /usr/ports/net/curl

and then:

# make update

If you do this first:

# echo 'FETCH_PACKAGES=Yes' >> /etc/mk.conf

…(and you only need to do this once) ports will install any dependencies from binary packages rather than compiling them, saving time.

See. Dead easy.