OpenBSD Journal

Heads Up! - PostgreSQL upgraded

Contributed by johan on from the fork-over-threads dept.

PostgreSQL has been upgraded. Here are Marc Balmer's (mbalmer@) notes about it...
PostgreSQL users,

shortly the PostgreSQL port in OpenBSD will be updated from version 8.2.6 to 8.3.1. This is a major update and you have to dump your databases before update and restore them afterwards.

** DUMP AND RESTORE IS NEEDED **

But there is more to look after: Versions of PostgreSQL prior to 8.3.x had a feature (or bug...) "implicit typecast". Functions that expect an argument to be of a certain type would cast a variable of any other type to the expected type, if possible.

E.g. the function now() returns a date and time, but not a 'text' variable. But an expression like "substr(now(), 1, 5)" was valid, because the result of "now()" was implicitely cast to "::text".

With PostgreSQL 8.3.x, this is no longer the case. Implicit typecasts are gone. You have to explicitely cast to the right type, above example would have to be written as "substr(now()::text, 1, 5)".

If you make use of functions or use PL/PGSQL, watch out for such constructs.

It is, however, unlikely that you run into trouble, from the applications simon@ and I looked at, we found only one that was affected by this and the problem was fixed in about ten minutes.

NB: the update is not yet committed. This is an _advance_ information so that you don't forget to dump/restore your databases. See this as a gentle reminder ;P

(The update to 8.3.1 was mostly prepared by simon@ and tested by him and me.)

(Comments are closed)


Comments
  1. By Anonymous Coward (85.178.97.73) on

    For wich OpenBSD version?
    If it's -current this post is useless or do you run "current" on a DB server?

    Comments
    1. By Mike Erdely (merdely) on http://erdelynet.com/

      > For wich OpenBSD version?
      > If it's -current this post is useless or do you run "current" on a DB server?

      Yes. This is for -current. And the update was committed earlier.

      This post may be useless to you because you're not running -current. I imagine it's not useless to those following -current. And it won't be useless to you when you upgrade to 4.4.

      Comments
      1. By Anonymous Coward (85.178.97.73) on

        > > For wich OpenBSD version?
        > > If it's -current this post is useless or do you run "current" on a DB server?
        >
        > Yes. This is for -current. And the update was
        >
        > This post may be useless to you because you're not running -current. I imagine it's not useless to those following -current. And it won't be useless to you when you upgrade to 4.4.

        Well but those following -current may have noticd it anyway 'course they should do always a port-update and this would have been pointed out by either the pkg-tools or the ports-system.

        I wont be cynic but this are realy news "from" devs "for" devs.
        At least it looks like that. Of ocurse the news is great but hey: A normal admin who may runs a OpenBSD server does not get anything.

        And the majority of all admins tend to not use -current (no matter wich OS).

        And if I "update" to 4.4 (well 4.3 is not out yet) this headline will be outdated and I may wont even remember it anymore. (that's the sick truth)

        More importent for me would be some updates for stable (ports f.e.). I set up a OpenBSD on a MS-only company (so the new port related to MS-f00-auth is pretty interesting (yes I do watch what happens in "current")) and they have their "patchdays"... and their routine.

        I just told them to not touch the box ever but running a vun. apache wont make things do look better. :)

        Of course I can compile the PostgreDB, any other port, run current. Yes I can, personaly. But the majority of the other guys mostly just can't (lack of knowledge, skills, time).

        Anyway PostgreeSQL made a pretty good progress lately and I appreaciate the work of the porters (thanks a lot!).

        But in case where I gonna upgrde the DBs this post will be (like for the majority I guess) outdated. :/

        Anyway this post was not itendet to flame. I just wanted to show you the sick reality in a world where you don't work just on your *NIX boxes in your "one" company but where you're kind of consulting hopping from one office to another....

        Comments
        1. By sthen (2a01:348:108:155:20a:e4ff:fe2d:99ee) on

          > And the majority of all admins tend to not use -current (no matter wich OS).

          Plenty of people seem to run FreeBSD stable, and that's about the most similar thing they have to our -current.

          > And if I "update" to 4.4 (well 4.3 is not out yet) this headline will be outdated and I may wont even remember it anymore. (that's the sick truth)

          I would imagine that, since the last major version postgresql update was listed in upgradeXX.html, this will too.

        2. By Marc Espie (213.41.185.88) espie@openbsd.org on

          > I wont be cynic but this are realy news "from" devs "for" devs.
          > At least it looks like that. Of ocurse the news is great but hey: A normal admin who may runs a OpenBSD server does not get anything.

          > And the majority of all admins tend to not use -current (no matter wich OS).

          > And if I "update" to 4.4 (well 4.3 is not out yet) this headline will be outdated and I may wont even remember it anymore. (that's the sick truth)

          Woah. If you are *that* badly organized, I don't want you in a sys-admin position anywhere near any resource I might need.

          Yeah, most sys-admins out there are actually sloppy like that. That's the sick truth. That doesn't make it alright.

          If you don't have a log somewhere where you write down this kind of information for later, then you're unprofessional. There is more to good sys-admin than the technical side.

          And yeah, those are strong words. Even flame material. I don't care.

          Comments
          1. By Anonymous Coward (12.24.41.131) on

            > > I wont be cynic but this are realy news "from" devs "for" devs.
            > > At least it looks like that. Of ocurse the news is great but hey: A normal admin who may runs a OpenBSD server does not get anything.
            >
            > > And the majority of all admins tend to not use -current (no matter wich OS).
            >
            > > And if I "update" to 4.4 (well 4.3 is not out yet) this headline will be outdated and I may wont even remember it anymore. (that's the sick truth)
            >
            > Woah. If you are *that* badly organized, I don't want you in a sys-admin position anywhere near any resource I might need.
            >
            > Yeah, most sys-admins out there are actually sloppy like that. That's the sick truth. That doesn't make it alright.
            >
            > If you don't have a log somewhere where you write down this kind of information for later, then you're unprofessional. There is more to good sys-admin than the technical side.
            >
            > And yeah, those are strong words. Even flame material. I don't care.

            Why is everyone so damn defensive, I agree on both points and here is why .. if you have and handful of machines its fine to stay current. I recently ran a lab of 650 machines (mind you it was mixed) but keeping current on say 100+ plus is a chore. I am all for keeping current, but is there some sort of mechanism for keeping a group of machines current? In my past dealing with alot of machines it was always better to stay stable and patch one offs rather than trying to keep everything current. Im just curious... I actually get a kick out of how aggressive these postings are so feel free to roast away... :P

    2. By Marc Balmer (2001:8a8:1001:0:216:76ff:fe72:356c) on

      > For wich OpenBSD version?
      > If it's -current this post is useless or do you run "current" on a DB server?

      Yes, -current, as all ports development is done on -current.

      And yes, I run my databases on -current.

    3. By Simon Bertrang (85.182.72.150) simon@ on

      > For wich OpenBSD version?

      -current, of course. postgresql 8.3.0 might have been ready before the
      lock but the time wouldn't have been long enough to ensure production readiness.

      > If it's -current this post is useless or do you run "current" on a DB server?

      Useless as in, you don't use -current? Then take this as motivation to do so.
      I'm running -current on most machines... at some point you have to test
      the recent things anyway, and maybe even fix them, too.
      As side-effect you get all the shiny new features and fixes.

      Now consider more people run -current... it could be more stable and
      perhaps even moving faster, and releases would be way easier to do btw.

    4. By Brad (2001:470:8802:3:216:41ff:fe17:6933) brad at comstyle dot com on

      > For wich OpenBSD version?
      > If it's -current this post is useless or do you run "current" on a DB server?

      I run -current everywhere.

      Comments
      1. By Bayu Krisnawan (krisna) krisna@infobsd.org on http://www.infobsd.org

        > > For wich OpenBSD version?
        > > If it's -current this post is useless or do you run "current" on a DB server?
        >
        > I run -current everywhere.

        So sometimes your website/database/firewall will going down because of upgrade to new current release.
        Do you have any advice for us to keep our system always up & running. Maybe Load Balancing or something?


        Thanks

        Comments
        1. By Brad (2001:470:8802:3:216:41ff:fe17:6933) brad at comstyle dot com on

          > > I run -current everywhere.
          >
          > So sometimes your website/database/firewall will going down because of upgrade to new current release.
          > Do you have any advice for us to keep our system always up & running. Maybe Load Balancing or something?

          Your website/database/firewall has to go down for upgrades to newer releases too. Your system setup and procedures should be no different whether running releases or -current.

          I have done a lot of work to help maintain -stable src/ports and in the end I found it more of a pain in the ass then just running -current. When you actually understand the system as opposed to following FAQs and such you will understand why. I just feel much more comfortable running -current.

          Comments
          1. By Anonymous Coward (85.178.97.73) on

            > > > I run -current everywhere.
            > >
            > > So sometimes your website/database/firewall will going down because of upgrade to new current release.
            > > Do you have any advice for us to keep our system always up & running. Maybe Load Balancing or something?
            >
            > Your website/database/firewall has to go down for upgrades to newer releases too. Your system setup and procedures should be no different whether running releases or -current.
            >
            > I have done a lot of work to help maintain -stable src/ports and in the end I found it more of a pain in the ass then just running -current. When you actually understand the system as opposed to following FAQs and such you will understand why. I just feel much more comfortable running -current.

            Brad I accapt and like your reply and I angree but you've to make a neutral analyse:

            If I work alone as Admin or in a little team of like 4 guys maintaining *NIX mashines using -current is possible and mostly no problem.

            If you work in a MS-g0ldp4rtn3r company and have to keep some boxes "up and running" the other administrators propably don't know about *NIX in detail nor how to frequently update to the latest snapshot.

            Now you've a critical server (like a deployment system) wich runs -stable you'll get no support like Updates (ports?!).

            The whole meaning of -stable became obsulate for OpenBSD because nobody provides updates to -stable (Examples: Ports, Kerberos5 Updates?!, D0S conditions wich got fixed in "current" but not backported).

            Well this makes it harder, for me at least, to raise the interest for *NIX in such enviroments and you've to admit that more users/compaies do use Windows and "Nobody" cares about security.

            You care about security and "freedom", I do and others as well but th majority does not care.

            If the developers don't care for -stable anymore then we might should "give a fuck" about stable and CD releases.

            Why not inventing a -stable where everything goes into wich is -stable and "-current" is realy just the testing branch. No version numbers no nothing..

            The "stable"-branch wich is currently providing just isn't anything usefull for the "nromal" guys. Either you risk to run outdated software on OpenBSD or you risk that your administrators don't update kinda weekly.

            And don't tell me you can't exploit things on OpenBSD 'course the article about this was just cencored away from undeadly. Wich also does not look better from a security point of view...

            And even my post will get removed also I'll point the attention to the article wich was removed from undeadly for unknown reasons:

            http://neworder.box.sk/newsread.php?newsid=17062


            So what's your oppinion brad? SHould I follow -current? Do updates for -stable suck? Nothing is perfect and we all have different needs. But it's more a "lets get something done together" except of a "we do it just for our own". Because the 2nd point of view wont open the pockets of too many companies nor people and without money.. well we all know how the world works. Don't we? :)


            I personaly will ask, if I documented the project I made, if my company may spends some money since a importent part of their infrastructure now bases on OpenBSD. But I can't update to -current each week so I#ve to life with the risks of getting pwned 'course nobody maintaines -stable... even on OpenBSD. :)

            Comments
            1. By Anonymous Coward (76.250.126.209) on

              The reason that article did not get published is because it is glaringly obvious. There is nothing new in there; these are exactly the issues people have been fixing for many many years. It might be an interesting read for some people interested or new at writing exploits but the news is very very old.

            2. By Marc Espie (213.41.185.88) espi@openbsd.org on

              The main reason that killed -stable for now, paradoxically, is the lack of testing for -current.

              We do not have infinite resources, especially for trying out stuff.

              Even when we ask for people to try out new stuff in -current, we often do not get any response, except for the same core of developers.

              Testing is totally necessary, it's not a lot of fun, but it has to be done.

              If our community does not do it, then we're fucked.

              More specifically, it uses resources up, so we don't have as much time to go on and add new stuff, and work on more cool stuff.

              So, yes, there is a deliberate attempt to get people to use -current, and run with it.

              As a whole community, you can't expect -stable to work correctly if you don't play fair. That is, you have to help in testing -current and reporting issues.

              Since what we get is not enough, we do hope that people will switch to -current for at least some of their machines, and give us more test results.

              If they do, then this frees up valuable developer time. If we don't need to spend as much time making sure -current works, then maybe we'll have enough time to actually work on -stable.

              There are other possibilities, of course. Some independent groups can run patches branches, provide the stuff you would like (but will you trust them ?), or you could donate money to the project. With enough money, we can possibly pay people to work part-time on the project.

              Remember that OpenBSD is volunteer-based ? Theo is the only `full time employee' of the project. All others either make it for the glory, or get money from secundary sources (like, their primary job is based on OpenBSD working correctly, and they get paid by their customers for other reasons).

              Get real. You want more, you have to give out more. Complaining here won't help. Just because you ask for things doesn't mean I suddenly have 48 hours per day to spend on OpenBSD...

              Comments
              1. By Anonymous Coward (66.230.230.230) on

                > The main reason that killed -stable for now, paradoxically, is the lack of testing for -current.
                >
                > We do not have infinite resources, especially for trying out stuff.
                >
                > Even when we ask for people to try out new stuff in -current, we often do not get any response, except for the same core of developers.
                >
                > Testing is totally necessary, it's not a lot of fun, but it has to be done.
                >
                > If our community does not do it, then we're fucked.
                >
                > More specifically, it uses resources up, so we don't have as much time to go on and add new stuff, and work on more cool stuff.
                >
                > So, yes, there is a deliberate attempt to get people to use -current, and run with it.
                >
                > As a whole community, you can't expect -stable to work correctly if you don't play fair. That is, you have to help in testing -current and reporting issues.
                >
                > Since what we get is not enough, we do hope that people will switch to -current for at least some of their machines, and give us more test results.
                >
                > If they do, then this frees up valuable developer time. If we don't need to spend as much time making sure -current works, then maybe we'll have enough time to actually work on -stable.
                >
                > There are other possibilities, of course. Some independent groups can run patches branches, provide the stuff you would like (but will you trust them ?), or you could donate money to the project. With enough money, we can possibly pay people to work part-time on the project.
                >
                > Remember that OpenBSD is volunteer-based ? Theo is the only `full time employee' of the project. All others either make it for the glory, or get money from secundary sources (like, their primary job is based on OpenBSD working correctly, and they get paid by their customers for other reasons).
                >
                > Get real. You want more, you have to give out more. Complaining here won't help. Just because you ask for things doesn't mean I suddenly have 48 hours per day to spend on OpenBSD...
                >

                I had no clue that the situation is that "bad". :-/

                GOnna ask my company to make some donations and hopefully those guys will do it. :)

            3. By Mike Erdely (merdely) on http://erdelynet.com/

              > And don't tell me you can't exploit things on OpenBSD 'course the
              >article about this was just cencored away from undeadly. Wich also
              >does not look better from a security point of view...
              >
              >And even my post will get removed also I'll point the attention to
              >the article wich was removed from undeadly for unknown reasons:
              >
              >http://neworder.box.sk/newsread.php?newsid=17062

              I definitely regret publishing that article. We thought it might spark some discussion, but it was quickly pointed out to us that all the article does is spread FUD. It was irresponsible on our part to publish it and that's why we, the editors decided to take it down. Nobody censored anything.

              Comments
              1. By Richard Toohey (203.167.190.49) richardtoohey@hotmail.com on

                It might have been better to update the article (rather than making it vanish) saying that you were cleaning it for the reasons given.

                (I did wonder why it had gone when I saw references to it, but it didn't keep me awake.)

                That might have kept the conspiracy theories to a minimum - but guess there would still have been some whinging.

                But of course then the people who saw the updated/purged/cleaned article would complain that was censorship.

                Can't please everyone all the time.

                And what has this got to do with PostgreSQL 8.3.1? 8-)

            4. By Marc Espie (213.41.185.88) espie@openbsd.org on


              > And don't tell me you can't exploit things on OpenBSD 'course the article about this was just cencored away from undeadly. Wich also does not look better from a security point of view...

              > And even my post will get removed also I'll point the attention to the article wich was removed from undeadly for unknown reasons:

              > http://neworder.box.sk/newsread.php?newsid=17062

              As Mike Erdely said, this article was removed because it is FUD.

              There is a big slant in the article: it presents what it does as if it is a concrete exploit. Well, it's not. If you read carefully, the author writes a small server with a flaw in it, then shows how to use that daemon to enter into his own system.

              Technically, what's actually going on is that the author shows that a lot of the security failsafes built into OpenBSD can be circumvented under specific circumstances in a specific scenario.

              Let me stress this again: there is no actual exploit in there. Just some elegant techniques that *could* lead to an exploit assuming you find some bug of a specific class.

              To anyone who really understands security, there is nothing shocking, nor particularly new in that article.

              This is the `defense in depth' concept. The *only* secure system is the perfect, flawless system. On real systems, there are bugs. A security hole happens when an attacker finds a sequence of misbehaviors that can be exploited. All OpenBSD does is try real hard to have ways less bugs than other systems, and to make it unusually hard to exploit sequences of misbehaviors. Also, there's the `pro-active' approach: we don't wait until bugs are proved to be exploitable to close the gaps. On the other hand, we don't like to cry wolf. Publishing patches to stable each time a minor bug is found would be counter-productive.

              I could go on and on. Real security is complex. You can't have black&white answers...

              You also have the full disclosure dilemma: if you publish a bug fix that covers a specific hole, you may be helping pirates finding out about that hole, and let unpatched systems be rooted. Timing is difficult.

  2. By niallo (69.12.154.240) niallo@niallohiggins.com on http://niallohiggins.com

    I've been using the PostgreSQL port on -current very heavily recently and appreciate the update to 8.3. Thanks for doing the hard work guys! I'm looking forward to trying this new version.

  3. By corey (208.191.177.19) mxntrpic at swbell dot net on

    Interesting discussion.

    I never have followed -current on OpenBSD before, and have been using it since 2.7 I think. I just buy the CDs and wait until they arrive -- with the occasional interim patch applied manually per the instructions. (On a side note: lessee, type 4 or 5 commands and move 1 or 2 files into place, or let Windows Update download and install 30 meg of crap, reboot the machine and not tell me anything about what it is doing? Did I tell you I _really_ like OpenBSD?).

    I don't use many of the ports on the machines I run now, as they are all firewalls. But I want to bring up some boxes in different roles -- DB server, mail server, web server, maybe even a part-time desktop -- so I will be using more ports, and "freshness" of the software will become more of an issue. I don't fault the project at all for their stance on developing for -current; I know what my own time constraints are, and I'm not hacking on OpenBSD myself, so I have no right to complain. Rather, I'm comforted to hear that many run -current in production situations, and it must not be all that hard, given as many people as there are doing it (but then again, they may all be OpenBSD uber-hackers). I guess I'll be Googling over the next few days to get some best practices on staying -current.

    Many thanks to those who do devote their time to the project.

    Comments
    1. By Marc Balmer (2001:8a8:1001:0:216:76ff:fe72:356c) on http://www.msys.ch/

      > Interesting discussion.
      >
      > I never have followed -current on OpenBSD before, and have been using it since 2.7 I think. I just buy the CDs and wait until they arrive -- with the occasional interim patch applied manually per the instructions. (On a side note: lessee, type 4 or 5 commands and move 1 or 2 files into place, or let Windows Update download and install 30 meg of crap, reboot the machine and not tell me anything about what it is doing? Did I tell you I _really_ like OpenBSD?).
      >
      > I don't use many of the ports on the machines I run now, as they are all firewalls. But I want to bring up some boxes in different roles -- DB server, mail server, web server, maybe even a part-time desktop -- so I will be using more ports, and "freshness" of the software will become more of an issue. I don't fault the project at all for their stance on developing for -current; I know what my own time constraints are, and I'm not hacking on OpenBSD myself, so I have no right to complain. Rather, I'm comforted to hear that many run -current in production situations, and it must not be all that hard, given as many people as there are doing it (but then again, they may all be OpenBSD uber-hackers). I guess I'll be Googling over the next few days to get some best practices on staying -current.
      >
      > Many thanks to those who do devote their time to the project.

      As an outsourcing company that runs IT infrastructures for customers (using OpenBSD), we found a good mix of -current vs. -stable that works nicely for us:

      - We run all of our own infrastructure on -current, so we catch problems early (we update all machines roughly once per month)

      - Our customers infrastructure we run on -stable, to not always have to update. As we have our own build infrastructure, we are quite free to build newer versions of packages or apply updates/fixes as we need. We try to avoid major updates during the 6-month cycle. All these customer machines pull their packages from a central package repo.

      That works quite well.


      Comments
      1. By Anonymous Coward (66.230.230.230) on

        > > Interesting discussion.
        > >
        > > I never have followed -current on OpenBSD before, and have been using it since 2.7 I think. I just buy the CDs and wait until they arrive -- with the occasional interim patch applied manually per the instructions. (On a side note: lessee, type 4 or 5 commands and move 1 or 2 files into place, or let Windows Update download and install 30 meg of crap, reboot the machine and not tell me anything about what it is doing? Did I tell you I _really_ like OpenBSD?).
        > >
        > > I don't use many of the ports on the machines I run now, as they are all firewalls. But I want to bring up some boxes in different roles -- DB server, mail server, web server, maybe even a part-time desktop -- so I will be using more ports, and "freshness" of the software will become more of an issue. I don't fault the project at all for their stance on developing for -current; I know what my own time constraints are, and I'm not hacking on OpenBSD myself, so I have no right to complain. Rather, I'm comforted to hear that many run -current in production situations, and it must not be all that hard, given as many people as there are doing it (but then again, they may all be OpenBSD uber-hackers). I guess I'll be Googling over the next few days to get some best practices on staying -current.
        > >
        > > Many thanks to those who do devote their time to the project.
        >
        > As an outsourcing company that runs IT infrastructures for customers (using OpenBSD), we found a good mix of -current vs. -stable that works nicely for us:
        >
        > - We run all of our own infrastructure on -current, so we catch problems early (we update all machines roughly once per month)
        >
        > - Our customers infrastructure we run on -stable, to not always have to update. As we have our own build infrastructure, we are quite free to build newer versions of packages or apply updates/fixes as we need. We try to avoid major updates during the 6-month cycle. All these customer machines pull their packages from a central package repo.
        >
        > That works quite well.

        Do you use a rdistd to keep all boxes "current" or do you realy move to each box and insert a cd?

        I, for now, had always the problem that updating things cost time. :-/

        Comments
        1. By Marc Balmer (2001:8a8:1001:0:216:76ff:fe72:356c) on


          > Do you use a rdistd to keep all boxes "current" or do you realy move to each box and insert a cd?

          of course we do all this from remote.

          > I, for now, had always the problem that updating things cost time. :-/

          there ain't no no free lunch.

  4. By Anonymous Coward (85.233.228.239) on

    This is an example on why we don't use OpenBSD on our production servers even thought we would very much like too.

    "This is a major update and you have to dump your databases before update and restore them afterwards."

    We need something like the way Debian stable does it where there is also only security upgrades available so that it is possible to patch/upgrade a package without having to fear a change in setup.

    If a security release demands an upgrade the Debian security team makes their own patched binary so that stable stays stable without any version upgrade.

    If we need a security fix for a certain package and that demands that an upgrade from version x to version y, but that at the same time demands a change in functionality, setup and data structure, then this is a major problem in production.

    Comments
    1. By phessler (phessler) on first undead, then not, then undead again.

      > This is an example on why we don't use OpenBSD on our production servers even thought we would very much like too.
      >
      > "This is a major update and you have to dump your databases before update and restore them afterwards."
      >
      > We need something like the way Debian stable does it where there is also only security upgrades available so that it is possible to patch/upgrade a package without having to fear a change in setup.
      >
      > If a security release demands an upgrade the Debian security team makes their own patched binary so that stable stays stable without any version upgrade.
      >
      > If we need a security fix for a certain package and that demands that an upgrade from version x to version y, but that at the same time demands a change in functionality, setup and data structure, then this is a major problem in production.
      >

      debian does it EXACTLY THE SAME WAY. This is on -current. Debian -current does large jumps too.

      again, this is *not* for stable. at some point, your debian machine will need the above upgrade, likely when you cross major versions.

    2. By Marc Espie (213.41.185.88) espie@openbsd.org on


      > If a security release demands an upgrade the Debian security team makes their own patched binary so that stable stays stable without any version upgrade.

      You're dense.

      What part of `we don't have the human resources to do everything we would like' did you not get ?

      Comments
      1. By Anonymous Coward (85.233.230.50) on

        >
        > > If a security release demands an upgrade the Debian security team makes their own patched binary so that stable stays stable without any version upgrade.
        >
        > You're dense.
        >
        > What part of `we don't have the human resources to do everything we would like' did you not get ?

        I got it, that's why I said we use Debian in production and not OpenBSD eventhough we would very much like too.

        What is less fortunate is that the financial support goes where the solution lies.

    3. By Marc Balmer (2001:8a8:1001:0:216:76ff:fe72:356c) on

      > This is an example on why we don't use OpenBSD on our production servers even thought we would very much like too.
      >
      > "This is a major update and you have to dump your databases before update and restore them afterwards."
      >
      > We need something like the way Debian stable does it where there is also only security upgrades available so that it is possible to patch/upgrade a package without having to fear a change in setup.
      >
      > If a security release demands an upgrade the Debian security team makes their own patched binary so that stable stays stable without any version upgrade.
      >
      > If we need a security fix for a certain package and that demands that an upgrade from version x to version y, but that at the same time demands a change in functionality, setup and data structure, then this is a major problem in production.
      >

      This has nothing to do with OpenBSD or Debian. PostgreSQL advanced and their format is not compatible.

      I am, however, man enough to do a dump and restore... Five minutes for months worth of new features.

      Comments
      1. By Anonymous Coward (85.233.230.50) on

        > > This is an example on why we don't use OpenBSD on our production servers even thought we would very much like too.
        > >
        > > "This is a major update and you have to dump your databases before update and restore them afterwards."
        > >
        > > We need something like the way Debian stable does it where there is also only security upgrades available so that it is possible to patch/upgrade a package without having to fear a change in setup.
        > >
        > > If a security release demands an upgrade the Debian security team makes their own patched binary so that stable stays stable without any version upgrade.
        > >
        > > If we need a security fix for a certain package and that demands that an upgrade from version x to version y, but that at the same time demands a change in functionality, setup and data structure, then this is a major problem in production.
        > >
        >
        > This has nothing to do with OpenBSD or Debian. PostgreSQL advanced and their format is not compatible.
        >
        > I am, however, man enough to do a dump and restore... Five minutes for months worth of new features.
        >

        This has nothing to do about being a man enough. Productions servers just can break in any way.

        Comments
        1. By Anonymous Coward (83.227.8.240) on


          > This has nothing to do about being a man enough. Productions servers just can break in any way.
          >

          Didn't you read what Marc wrote? Please understand that this specific change is a PostgreSQL change. It would have been needed on your production Debian servers as well.

  5. By Anonymous Coward (24.91.188.72) on

    A couple questions to those who have real life experience running -current in production:

    (1) how often does it actually break?

    By "break" I mean, for example, some common userland utility from base segfaulting, or a common package starting to misbehave because of a change in base.

    (2) what happens if something in /etc needs to be manually updated? In other words, how do I keep track of that? Do I get an etc.tgz from a snapshot and compare it against the etc.tgz from a previous snapshot? Do I have to follow the developers list? Or should I just look at the CVS commit log?

    I never thought about running -current in production, but this thread made me seriously consider the idea. Many thanks to the developers who elaborated on this above.

    Comments
    1. By sthen (2a01:348:108:155:20a:e4ff:fe2d:99ee) on

      > A couple questions to those who have real life experience running -current in production:
      >
      > (1) how often does it actually break?
      >
      > By "break" I mean, for example, some common userland utility from base segfaulting, or a common package starting to misbehave because of a change in base.

      Very rarely, and it tends to get noticed quickly.

      > (2) what happens if something in /etc needs to be manually updated? In other words, how do I keep track of that? Do I get an etc.tgz from a snapshot and compare it against the etc.tgz from a previous snapshot?

      Using mergemaster is probably simplest. You can use it against a snapshot etc*.tgz but I think it's easier/quicker to use it against a cvs up'd source tree.

      > Do I have to follow the developers list? Or should I just look at the CVS commit log?

      You should look at the commit log if you run current, it will give you an idea as to whether any changes are in areas that you might notice (sometimes you might want to hold off until something has seen more testing), and sometimes the commit messages sometimes give clues you'll be thankful for.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]