While installing and upgrading OpenBSD releases has always been a breeze, keeping a stable installation up-to-date with security and reliability patches required fetching and applying cvs(1) diffs then build a new release which had to be deployed on every maintained systems. In this talk I will introduce a new base system utility: syspatch(8). It is used to fetch, verify, install and revert OpenBSD "binary" patches.
I will also describe the patch building process which is completely privileged separated and explain how and why several parts of the build system had to be changed.
As a teaser let me give you a couple of examples.
At OpenBSD we believe that doing full builds for each patch if the proper way to go, even though it takes more time and effort. Indeed, an important thing for building patches are deterministic builds. That is especially true if the patch tarballs aren't built on the system the original release was created.
Another challenge is static binaries. These need to be re-linked every time we patch a library that's a dependency, so if you don't do a full build all the time, you have to keep a list of these binaries and manually force re-build them which is error prone.
Speakers: Antoine Jacoutot