Bug 247607

Summary: Installations don't include patches
Product: Base System Reporter: Adam Weinberger <adamw>
Component: miscAssignee: FreeBSD Release Engineering <re>
Status: New ---    
Severity: Affects Many People CC: cperciva, lwhsu
Priority: ---    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description Adam Weinberger freebsd_committer freebsd_triage 2020-06-28 05:35:01 UTC 
When FreeBSD is downloaded from the website or installed through normal means, only -RELEASE is included. We want users to have the best experience out-of-the-gate, so we should update the installation media when new patches are released.

It also means that if users want to deploy a jail by extracting base.txz, they have to roll it themselves if I want the patches current.

Clearly it's unreasonable to provide media for every patch, but having two versions available (-RELEASE and the current -pX, defaulting to the -pX) would be a huge benefit to our users and ourselves.

Also, there's no reason for the updates to be atomic. It's reasonable to release patches right away, reroll amd64 shortly after that, and reroll the other archs gradually over the next few days.

Is this idea even feasible? Is this something that re could accomplish?
Comment 1 Adam Weinberger freebsd_committer freebsd_triage 2021-07-24 19:21:48 UTC 
It's been a year since this PR was filed, so this is a ping.

This PR is about distributing fully patched downloads, rather than expecting all installations to run freebsd-update immediately. There's really no common circumstance under which a user would want an unpatched fresh FreeBSD installation.
Comment 2 Colin Percival freebsd_committer freebsd_triage 2021-07-24 19:37:20 UTC 
I think the biggest reason to not do this is signatures -- releases are signed by the release engineer, who isn't necessarily involved with the process of issuing security updates.

It could be done after the fact by "unrolling" tarballs, applying updates, "rerolling" them, and then re-signing the files, but that seems like a lot of work compared to telling users to apply security updates after they install.

(I do have plans to provide pre-patched EC2 images, though, since the speed of getting a new system up and running is more important in cloud platforms.)