Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 23 Jan 2002 13:26:47 -0500
From:      Beth Reid <breid@cyberguard.com>
To:        "'freebsd-binup@freebsd.org'" <freebsd-binup@freebsd.org>
Subject:   FW: FreeBSD nonkernel patches/packages
Message-ID:  <F767BDFE817ED411A32100D0B7694A9FAD1BCB@mail.cybg.com>

next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C1A43B.8604A884
Content-Type: text/plain;
	charset="iso-8859-1"


-----Original Message-----
From: Jacques A. Vidrine [mailto:n@nectar.cc]
Sent: Wednesday, January 23, 2002 1:17 PM
To: Beth Reid
Cc: 'security-officer@FreeBSD.org'
Subject: Re: FreeBSD nonkernel patches/packages


Hello Beth,

Many of the question you ask here will probably be better answered in
another forum such as freebsd-hackers@freebsd.org.  You are seeking
understanding of the FreeBSD build process, and of the package
creation process, and these are not specific to security.

On Wed, Jan 23, 2002 at 01:02:34PM -0500, Beth Reid wrote:
> Hi
> 
> I have a few questions regarding non-kernel FreeBSD patch distribution.
Any
> information is really appreciated.  If all of this is documented
somewhere,
> I would be happy to do the research if someone could point me to the
> document. 
> 
> 1 ) If I produced a product based on FreeBSD 4.3, how would my customers
get
> the patches?
>
> I can see there was a binary distribution of the patches using pkg_add.
> This seems to work very nicely in distributing patches to customers.
> However, this process seemed to change with the openssh patch 01:63.  The
> binary distribution was for FreeBSD 4.4 only.  How does one ship a binary
> installation of that patch to their customers who are running 4.3?  (Same
> goes for patches 02:01 and 02:02.)  The customer's system does not have
> source. :-/

As noted in the advisory, the binary patches are an experimental
delivery mechanism.  You could certainly duplicate this experiment
yourself.
 
> 2)  Do you provide a mechanism where I can create my own binary
> installations using pkg_add?
> 
> It seems I can use pkg_create.  That seems to work fine, but can I get
more
> information on the packinglist file and what items to ship with each
> distribution?  
>
> I can create a very simple packinglist such as this for the 02:02 pw
patch.
[snip]
> Or the following for the 01:63 sshd patch:
[snip]

Yes, that is essentially how it is done.

> However, when I looked at the binary distribution for the sshd patch that
is
> available for FreeBSD 4.4, it included several shippables such as scp,
> ssh_add, ssh-agent, ssh_keygen, sftp.... and all of the man pages).  This
> didn't seem necessary since the only file that was changed was session.c.
> Was this done simply to reship the entire ssh product or did this package
> just include everything that the make install would have rebuilt?

The last released sshd patch included only `sshd', not the items you
note above.  Probably you are thinking about the OpenSSH /ports/.  We
do not provide binary patches for ports.  Rather, users are instructed
to update to new packages, and these packages are indeed complete.
 
> 3) What about patches that patch libraries which impact several
executables?
>
> 
> If there is a patch that patches a library (similar to the old 01:40)
patch,
> how do you know which commands that it would impact and which to include
in
> the binary package?  

It depends.  If one patches libc, one would have to also patch all
statically linked executables for example.   Library dependencies are
documented primarily in the Makefiles for FreeBSD.

> Would it be documented in the README?

What README?
 
> I suppose the long and short of it is, if I am creating my own binary
> installations, how can I be sure what to include in the tarballs.  Do I
have
> to rely on combining information from the Readme, .patch file, and
Makefile
> as a guide?

Yes.  In our advisories for the base system, we now try to include all
the revisions and source files [1].  You will have to derive what
binaries are affected from that.

Cheers,
-- 
Jacques A. Vidrine <n@nectar.cc>                 http://www.nectar.cc/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se

[1] In the `Correction details' section.

------_=_NextPart_001_01C1A43B.8604A884
Content-Type: text/html;
	charset="iso-8859-1"

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2650.12">
<TITLE>FW: FreeBSD nonkernel patches/packages</TITLE>
</HEAD>
<BODY>
<BR>

<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Jacques A. Vidrine [<A HREF="mailto:n@nectar.cc">mailto:n@nectar.cc</A>]</FONT>
<BR><FONT SIZE=2>Sent: Wednesday, January 23, 2002 1:17 PM</FONT>
<BR><FONT SIZE=2>To: Beth Reid</FONT>
<BR><FONT SIZE=2>Cc: 'security-officer@FreeBSD.org'</FONT>
<BR><FONT SIZE=2>Subject: Re: FreeBSD nonkernel patches/packages</FONT>
</P>
<BR>

<P><FONT SIZE=2>Hello Beth,</FONT>
</P>

<P><FONT SIZE=2>Many of the question you ask here will probably be better answered in</FONT>
<BR><FONT SIZE=2>another forum such as freebsd-hackers@freebsd.org.&nbsp; You are seeking</FONT>
<BR><FONT SIZE=2>understanding of the FreeBSD build process, and of the package</FONT>
<BR><FONT SIZE=2>creation process, and these are not specific to security.</FONT>
</P>

<P><FONT SIZE=2>On Wed, Jan 23, 2002 at 01:02:34PM -0500, Beth Reid wrote:</FONT>
<BR><FONT SIZE=2>&gt; Hi</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; I have a few questions regarding non-kernel FreeBSD patch distribution.&nbsp; Any</FONT>
<BR><FONT SIZE=2>&gt; information is really appreciated.&nbsp; If all of this is documented somewhere,</FONT>
<BR><FONT SIZE=2>&gt; I would be happy to do the research if someone could point me to the</FONT>
<BR><FONT SIZE=2>&gt; document. </FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; 1 ) If I produced a product based on FreeBSD 4.3, how would my customers get</FONT>
<BR><FONT SIZE=2>&gt; the patches?</FONT>
<BR><FONT SIZE=2>&gt;</FONT>
<BR><FONT SIZE=2>&gt; I can see there was a binary distribution of the patches using pkg_add.</FONT>
<BR><FONT SIZE=2>&gt; This seems to work very nicely in distributing patches to customers.</FONT>
<BR><FONT SIZE=2>&gt; However, this process seemed to change with the openssh patch 01:63.&nbsp; The</FONT>
<BR><FONT SIZE=2>&gt; binary distribution was for FreeBSD 4.4 only.&nbsp; How does one ship a binary</FONT>
<BR><FONT SIZE=2>&gt; installation of that patch to their customers who are running 4.3?&nbsp; (Same</FONT>
<BR><FONT SIZE=2>&gt; goes for patches 02:01 and 02:02.)&nbsp; The customer's system does not have</FONT>
<BR><FONT SIZE=2>&gt; source. :-/</FONT>
</P>

<P><FONT SIZE=2>As noted in the advisory, the binary patches are an experimental</FONT>
<BR><FONT SIZE=2>delivery mechanism.&nbsp; You could certainly duplicate this experiment</FONT>
<BR><FONT SIZE=2>yourself.</FONT>
<BR><FONT SIZE=2>&nbsp;</FONT>
<BR><FONT SIZE=2>&gt; 2)&nbsp; Do you provide a mechanism where I can create my own binary</FONT>
<BR><FONT SIZE=2>&gt; installations using pkg_add?</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; It seems I can use pkg_create.&nbsp; That seems to work fine, but can I get more</FONT>
<BR><FONT SIZE=2>&gt; information on the packinglist file and what items to ship with each</FONT>
<BR><FONT SIZE=2>&gt; distribution?&nbsp; </FONT>
<BR><FONT SIZE=2>&gt;</FONT>
<BR><FONT SIZE=2>&gt; I can create a very simple packinglist such as this for the 02:02 pw patch.</FONT>
<BR><FONT SIZE=2>[snip]</FONT>
<BR><FONT SIZE=2>&gt; Or the following for the 01:63 sshd patch:</FONT>
<BR><FONT SIZE=2>[snip]</FONT>
</P>

<P><FONT SIZE=2>Yes, that is essentially how it is done.</FONT>
</P>

<P><FONT SIZE=2>&gt; However, when I looked at the binary distribution for the sshd patch that is</FONT>
<BR><FONT SIZE=2>&gt; available for FreeBSD 4.4, it included several shippables such as scp,</FONT>
<BR><FONT SIZE=2>&gt; ssh_add, ssh-agent, ssh_keygen, sftp.... and all of the man pages).&nbsp; This</FONT>
<BR><FONT SIZE=2>&gt; didn't seem necessary since the only file that was changed was session.c.</FONT>
<BR><FONT SIZE=2>&gt; Was this done simply to reship the entire ssh product or did this package</FONT>
<BR><FONT SIZE=2>&gt; just include everything that the make install would have rebuilt?</FONT>
</P>

<P><FONT SIZE=2>The last released sshd patch included only `sshd', not the items you</FONT>
<BR><FONT SIZE=2>note above.&nbsp; Probably you are thinking about the OpenSSH /ports/.&nbsp; We</FONT>
<BR><FONT SIZE=2>do not provide binary patches for ports.&nbsp; Rather, users are instructed</FONT>
<BR><FONT SIZE=2>to update to new packages, and these packages are indeed complete.</FONT>
<BR><FONT SIZE=2>&nbsp;</FONT>
<BR><FONT SIZE=2>&gt; 3) What about patches that patch libraries which impact several executables?</FONT>
<BR><FONT SIZE=2>&gt;</FONT>
<BR><FONT SIZE=2>&gt; </FONT>
<BR><FONT SIZE=2>&gt; If there is a patch that patches a library (similar to the old 01:40) patch,</FONT>
<BR><FONT SIZE=2>&gt; how do you know which commands that it would impact and which to include in</FONT>
<BR><FONT SIZE=2>&gt; the binary package?&nbsp; </FONT>
</P>

<P><FONT SIZE=2>It depends.&nbsp; If one patches libc, one would have to also patch all</FONT>
<BR><FONT SIZE=2>statically linked executables for example.&nbsp;&nbsp; Library dependencies are</FONT>
<BR><FONT SIZE=2>documented primarily in the Makefiles for FreeBSD.</FONT>
</P>

<P><FONT SIZE=2>&gt; Would it be documented in the README?</FONT>
</P>

<P><FONT SIZE=2>What README?</FONT>
<BR><FONT SIZE=2>&nbsp;</FONT>
<BR><FONT SIZE=2>&gt; I suppose the long and short of it is, if I am creating my own binary</FONT>
<BR><FONT SIZE=2>&gt; installations, how can I be sure what to include in the tarballs.&nbsp; Do I have</FONT>
<BR><FONT SIZE=2>&gt; to rely on combining information from the Readme, .patch file, and Makefile</FONT>
<BR><FONT SIZE=2>&gt; as a guide?</FONT>
</P>

<P><FONT SIZE=2>Yes.&nbsp; In our advisories for the base system, we now try to include all</FONT>
<BR><FONT SIZE=2>the revisions and source files [1].&nbsp; You will have to derive what</FONT>
<BR><FONT SIZE=2>binaries are affected from that.</FONT>
</P>

<P><FONT SIZE=2>Cheers,</FONT>
<BR><FONT SIZE=2>-- </FONT>
<BR><FONT SIZE=2>Jacques A. Vidrine &lt;n@nectar.cc&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A HREF="http://www.nectar.cc/" TARGET="_blank">http://www.nectar.cc/</A></FONT>;
<BR><FONT SIZE=2>NTT/Verio SME&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; .&nbsp;&nbsp;&nbsp;&nbsp; FreeBSD UNIX&nbsp;&nbsp;&nbsp;&nbsp; .&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Heimdal Kerberos</FONT>
<BR><FONT SIZE=2>jvidrine@verio.net&nbsp;&nbsp;&nbsp;&nbsp; .&nbsp; nectar@FreeBSD.org&nbsp; .&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; nectar@kth.se</FONT>
</P>

<P><FONT SIZE=2>[1] In the `Correction details' section.</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C1A43B.8604A884--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-binup" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F767BDFE817ED411A32100D0B7694A9FAD1BCB>