Antoine Jacoutot

While installing and upgrading OpenBSD releases has always been a breeze, keeping a stable installation up-to-date with security and reliability patches required fetching and applying cvs(1) diffs then build a new release which had to be deployed on every maintained systems. In this talk I will introduce a new base system utility: syspatch(8). It is used to fetch, verify, install and revert OpenBSD "binary" patches.

I will also describe the patch building process which is completely privileged separated and explain how and why several parts of the build system had to be changed.

As a teaser let me give you a couple of examples.

At OpenBSD we believe that doing full builds for each patch if the proper way to go, even though it takes more time and effort. Indeed, an important thing for building patches are deterministic builds. That is especially true if the patch tarballs aren't built on the system the original release was created.

Another challenge is static binaries. These need to be re-linked every time we patch a library that's a dependency, so if you don't do a full build all the time, you have to keep a list of these binaries and manually force re-build them which is error prone.

Instead of speaking about successful parts of the projects, this talk will focus on the weakness of both OpenBSD and FreeBSD, exploring conceptual differences between them and also exploring directions where motivated contributors can start working on to improve the projects. While being general purpose operating systems we will see that one size doesn't fit all and how one or the other may be a better solution to a particular problem. Trolls are to be left at the door.