While installing and upgrading OpenBSD releases has always been a breeze,
keeping a stable installation up-to-date with security and reliability patches
required fetching and applying cvs(1) diffs then build a new release which had
to be deployed on every maintained systems.
In this talk I will introduce a new base system utility: syspatch(8). It is used
to fetch, verify, install and revert OpenBSD "binary" patches.
I will also describe the patch building process which is completely privileged
separated and explain how and why several parts of the build system had to be
changed.
As a teaser let me give you a couple of examples.
At OpenBSD we believe that doing full builds for each patch if the proper way to
go, even though it takes more time and effort. Indeed, an important thing for
building patches are deterministic builds. That is especially true if the patch
tarballs aren't built on the system the original release was created.
Another challenge is static binaries. These need to be re-linked every time we
patch a library that's a dependency, so if you don't do a full build all the
time, you have to keep a list of these binaries and manually force re-build them
which is error prone.