While its relatively easy (or brain dead easy with GhostBSD or NomadBSD distributions) to install and configure a FreeBSD Desktop – one have to keep in mind that its also important to keep that system updated and secure.
There are many aspects about FreeBSD to keep it updates and secured.
The Table of Contents for this article is shown below:
- FreeBSD Base System
- Packages
- FreeBSD Linux Browser Installer
- WINE
- Cargo Packages
- FreeBSD Ports Tree
- Summary
Lets now discuss each section one by one.
FreeBSD Base System
First is the FreeBSD Base System which is updated by the frebsd-update(8) utility. It is not often you need to do this – from my experience its once a month need usually.
The list of needed commands are shown below.
# freebsd-version # frebsd-update fetch # frebsd-update install
While the freebsd-version(1) will tell you what version you are currently running the freebsd-update(8) will help you to update your FreeBSD system to have latest patches installed.
… but when to update the FreeBSD Base System anyway? Well – its quite simple – check the FreeBSD Security Advisories page – and if something posted there affects you – then you should move your ass and update it π
Packages
After you have taken care of the FreeBSD Base System the next one to make sure you are not too much far behind are the FreeBSD packages.
You can of course check if any of your installed packages have any reported security holes as shown below.
# pkg audit -F
vulnxml file up-to-date
0 problem(s) in 0 installed package(s) found.
The above message shows that your installed packages are safe – but its not the message you see the most of the time π
Below are the commands that you would use to update your FreeBSD desktop system.
# pkg upgrade # pkg autoremove # pkg clean -y --all
… and yes it does include some extra steps to remove cached packages – and probably now not needed as the are already installed anyway.
I do not think that anything more should be added here – maybe a short mention about the packages branch you are using. The default one is the quarterly branch that has packages build every quarter.
Maybe its sometimes reasonable for the server like environments – but I prefer to have the latest versions of what FreeBSD maintainers do offer in their hard and often underestimated work.
This is why I always use – both on desktop and servers – the latest packages branch.
This means that packages are (re)built once a week or faster and you get what is latest and fresh.
I will not convince you what is better – you will have to decide for yourself.
FreeBSD Linux Browser Installer
The Linux Browser Installer helps a lot on FreeBSD systems. It provides browsers (via the Linux Compatibility Layer) that are not natively available on FreeBSD – but with DRM sh!t needed to access for example Netflix content.
The Linux Browser Installer is easy to install – but its also easy to update.
Below you will find commands that will keep your Linux Browser Installer updated and secure.
# git clone https://github.com/mrclksr/linux-browser-installer.git # cd linux-browser-installer # ./linux-browser-installer chroot upgrade
WINE
One may think that WINE is just another package and that it was already updated during the # pkg upgrade cycle – it depends – the default WINE package is for 64bit excusables … but its also possible to run (and often needed) the older 32bit executables.
The problem is that the 32bit environment has its own separate root with its own packages set.
To be honest its not a big deal – you just need to remember to update it along with other things you update periodically π
Below is the command that updates the 32bit WINE binaries/packages.
% /usr/local/share/wine/pkg32.sh upgrade
One of the things you need to keep in mind that it is done by you (user) and not the root user of the machine.
Cargo Packages
While 95% of this topic is covered above – no one prevents you from using the additional Cargo packages – and I do it myself also.
Its just that some software is not yet available by the official FreeBSD packages – but its already official by using the Cargo packages.
I personally use about 10 different Cargo packages that are still not available on the FreeBSD packages.
Here are the instructions to keep these Cargo packages updated.
First and most important – you need to install the cargo-update package to be able to update installed Cargo packages.
Then you may just use the other command to have Cargo packages updated.
# cargo install cargo-update # cargo install-update -a
FreeBSD Ports Tree
Last but not least – the FreeBSD Ports Tree – which even if you only use binary packages – can often come handy in some exceptions.
We all know the ‘default’ rule that mixing Packages and Ports is a bad idea in the FreeBSD world – and I generally agree – its a bad idea if you do not know what you are doing.
If you do know what you are doing – you may mix anything with everything – just do not spam the FreeBSD Forums for help later π
The tool to update the local FreeBSD Ports Tree on your machine is still portsnap(8) and the auto argument is usually more then enough.
# portsnap auto
From the other things – you may want to setup the WRKDIRPREFIX variable to have everything built in the /usr/ports/obj directory – to have everything in one place.
# grep WRKDIRPREFIX /etc/make.conf WRKDIRPREFIX=${PORTSDIR}/obj # rm -rf \ /usr/ports/obj \ /usr/ports/distfiles
I often also clean the /usr/ports/obj and /usr/ports/distfiles directories.
Summary
Besides the things that I have wrote above I also sometimes save some binaries to the ~/scripts/bin path. There is not upgrade path for them besides manually checking the provider page.
Some examples of such software on my system are doso or cpuc ones.
As I do not have anything more to add here – please feel free to comment what is missing in keeping your workstation updated and secure.
EOF
ππππππππ 
Pingback: Keep FreeBSD Desktop Updated - My Blog
Just want to point this:
“Some examples of suc*H* software on my system are doso or cpuc ones.”
LikeLike
You are right. Fixed π
LikeLike
Great article btw.
I use this script to keep my FBSD updated:
#!/usr/bin/env bash if [[ "${UID}" != "0" ]] ; then echo "UID != 0" ; exit ; fi printexec() { printf "\e[91;1m * ${*}\e[0m\n" "${@}" } printexec freebsd-update fetch install printexec pkg update printexec pkg upgrade printexec pkg autoremove printexec pkg check -d -s -a printexec pkg audit -F -r printexec pkg clean -y printexec portsnap fetch update printexec portmaster --clean-distfiles printexec pkg stats reboot_check() { _fbsd="$(freebsd-version -k)" _unamer="$(uname -r)" [[ "$_unamer" == "$_fbsd" ]] && printf "\e[91;1m * Done\e[0m\n" || printf "\e[91;1m * Done, Kernel was updated, reboot is required!\e[0m\n" } reboot_check exit 0LikeLike
Pingback: Links 23/01/2023: Fwupd 1.8.10 | Techrights
Pingback: Valuable News – 2023/01/23 | ππππππππ
Thank you for the valuable information on the mailing list and your blog. Best regards
LikeLike
Thank You and I am glad that it was useful.
Cheers mate.
LikeLike