The dilemma – OS updates vs OS type

For years I have been a FreeBSD bigot. I love FreeBSD, the stability, performance, ease of use, and steady progression.


Updates are kind of a chore, there is no such thing as true incremental updates, you either do patch updates against RELEASE, or you do world updates against STABLE. I am a STABLE kind of admin so my updates take quite a few man hours to do. The number of security updates required for FreeBSD is quite minimal (the target is small).

The Ubuntu Linux distribution does do things incrementally, you can update whenever you wish as by default everything is distributed as binaries. The downside is the constant updates that are in the pipeline and no easy way to figure out which update is relevant to what type of thing you are updating for. The update mailing lists are high speed, high volume, and I don’t have enough time in my day to keep up. The number of security updates required for any Linux distribution is very large (the target is huge).

And this has nothing to do with package maintenance…

So on with my dilemma…

Every 6 months I do a full update on my servers, for FreeBSD, the basics are:

  • screen -R
  • exec sudo su – root
  • cvsup ports-supfile
  • cvsup stable-supfile
  • cd /usr/ports
  • make fetchindex
  • cd /usr/src
  • make buildworld ; date
  • ^A^D

and let it run. Nothing has happened, no updates or anything else. Come back later (90 minutes or so) and…

  • screen -R
  • make installworld ; rm -fr /usr/obj/*
  • cd sys/amd64/conf
  • rm -fr ../compile/<CONFIGNAME>
  • config <CONFIGNAME>
  • cd ../compile/<CONFIGNAME>
  • make cleandepend && make depend && make && make install
  • cd ..
  • rm -fr <CONFIGNAME>
  • mergemaster -UiF
  • sync ; sync ; sync ; reboot

and my world is all happy and complete.

Ubuntu? Wow, this is easysauce…

  • sudo su – root
  • apt-get update
  • apt-get dist-upgrade
  • sync ; sync ; sync ; reboot

this updates the kernel, userland, and any installed binary packages from the debian package system. (notice I did not list out how I update packages on FreeBSD yet).

Only issue with Ubuntu (and all of the different Linux distributions) is that you can do this 2-3 times per week and have updates (as I alluded to above) to install.

So, dilemma…

I seriously need to evaluate what I do with my UNIX administration.

Do I continue down the tried and true path with FreeBSD with the small target, excellent performance, but long hours of updates, or do I choose the quick and easy path of the Ubuntu Linux distribution with the many (and varied) updates regularly?

With the FreeBSD systems – I don’t need to worry so much about security items – there is a specific mailing list dealing with such things with separation between the FreeBSD OS and any 3rd party packages with the number of issues being very low. Day to day OS maintenance is almost non-existent.

With the Ubuntu Linux distributions – I need to look regularly as to what is being updated (since the mailing lists are full of <everything> being updated), day to day is difficult to gauge because of the constant and ever flowing updates that I can not keep up with (I have other things to do with my time than to read hundreds of emails a day about joe-coder updating ffmpeg for the third time today).

I manage over 100 of these kinds of systems, approximately 10-12 of them are Ubuntu and the rest are FreeBSD based.

(updating FreeBSD ports is its own thing and both incredibly easy to deal with while also fraught with gotchas you must watch out for, like the mid-life update to Perl 5.10 from Perl 5.8, or using portupgrade on ‘gd’ or ‘curl’ can sometimes be frustrating because of weird failures)

What would you do?

10 Replies to “The dilemma – OS updates vs OS type”

    • Who runs 9.x?

      Or a GUI for servers?

      (I read it – there is command line stuff too – this is interesting stuff, doesn’t change my dilemma though)

      • nah, it supports server 10.4 lts – I should have picked a better farticle to link

        The gui is for the lazy desktop wankers who don’t care to screen let alone tickle a cli

  • Ubuntu/Debian – there are numerous apps out there that will check the archives on a scheduled basis for any updates to your system, and notify you in some way (email, run a script, etc) when there are updates available. This only checks against applications that you have installed (basically does an ‘apt-get update’ and then sees if a dist-upgrade would do anything), and as long as you do are running on a stable release (ie – not testing on debian, or with -proposed or ppa’s on Ubuntu), the noise level is fairly low.

    It would also not be excessively difficult to write a script to run as your ‘notification’ that would check the changelog for each change, and then only notify you if it was a security update vs a bug fix..

    You could also run the Debian FreeBSD port.. ;)

    • How would running the Debian FreeBSD port do anything? Silly L lover!

      Glad you mention that there are apps out there, without mentioning said apps – quite helpful! (sorry, sarcasm is not as fun in text/plain).

      Production doesn’t run beta or testing software by default.

      So, getting notifications is easy, parsing what is real and what is someone doing a comment update and rebuild is difficult already, writing tools to check on an update … is great but that requires that the update have good documentation. Do you read those mailing lists? :( Full of random commentary.

      • Debian FreeBSD port — FreeBSD kernel with full GNU userland managed by apt.. so if you are getting benefits from the FreeBSD kernel, it’s one way to get ‘easy’ updates on FreeBSD.. ;)

        Apps: Yeah, I got the sarcasm. ;) Sorry, was replying from the phone! Two I’ve seen are cron-apt and daptup; I’ve used cron-apt quite a bit, haven’t used daptup myself but have heard good things.

        Parsing – with Debian at least, any update that is security-related should have urgency set to high.. and will generally link to the CVE.. but ya, if an update isn’t strictly known to resolve security issues until later, may not help!

Comments are closed.