Date: Thu, 11 Nov 2004 02:30:46 +0800 From: Xin LI <delphij@frontfree.net> To: Julian Elischer <julian@elischer.org> Cc: freebsd-security@freebsd.org Subject: Re: Is there any way to know if userland is patched? Message-ID: <20041110183046.GA3518@frontfree.net> In-Reply-To: <4192539C.6040403@elischer.org> References: <20041110173511.GA2940@frontfree.net> <4192539C.6040403@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Julian, On Wed, Nov 10, 2004 at 09:45:00AM -0800, Julian Elischer wrote: > X-Sieve: CMU Sieve 2.2 > Date: Wed, 10 Nov 2004 09:45:00 -0800 > From: Julian Elischer <julian@elischer.org> > User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8a3) Gecko/200= 41017 > X-Accept-Language: en, hu > To: Xin LI <delphij@frontfree.net> > Cc: freebsd-hackers@freebsd.org, freebsd-security@freebsd.org > Subject: Re: Is there any way to know if userland is patched? > In-Reply-To: <20041110173511.GA2940@frontfree.net> > X-Virus-Scanned: by amavisd-new at frontfree.net >=20 > Xin LI wrote: [snip] > I upgrade systems by creating packages which contain all upgraded files > I have a set of makefiles etc. checked into my local CVS tree that check = out > a freeBSD tree at a given revision and build it (withlocal patches added) > and then extracts out fies according to a list I supply. On completion I= =20 > check the list in too, so I can theoretically recreate that patch.. Hmm... Thanks for the comments. That's somewhat like the way I am current= ly using at company. We maintain a local CVS tree with a subset of ports/ tree as well as src/ tree containing some of our local changes. The tree is has several frozen branches that is maintained by a small group of staff, they make packages for the upgrades. For me, I think it might be beneficial if we can keep track of system patch= level in some other way that can be easily detected, so some ``guardian'' scripts would be easier to create. I have an idea that is somewhat too complex to be included in FreeBSD - we maintain a ``master'' patchlevel, and two patchlevels indicating the least ``master'' patchlevel that touches kernel or userland. It might be somethi= ng like this: Master | Userland | Kernel =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D+= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D+=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 4.10-RELEASE | 4.10-RELEASE | 4.10-RELEASE 4.10-RELEASE-p1 | 4.10-RELEASE | 4.10-RELEASE-p1 4.10-RELEASE-p2 | 4.10-RELEASE | 4.10-RELEASE-p2 4.10-RELEASE-p3 | 4.10-RELEASE-p3 | 4.10-RELEASE-p2 And propograte it somewhere. This is somewhat complex as the security offi= cer must bump two version when he is doing a security update and I'm not sure w= hether this is beneficial enough so I hesitate to proposal a patch of this, as I f= ound that Colin has a simpler solution in his excellent freebsd-update program, = which tracks binary changes by checking $FreeBSD$ changes. While this is sometim= es not enough to detect every changes, but it requires less human interactions. Cheers, --=20 Xin LI <delphij frontfree net> http://www.delphij.net/ See complete headers for GPG key and other information. --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBkl5W/cVsHxFZiIoRAg3XAKCFC20RJQ3FN0BTvZrI1t+QPI4zmwCfex+q Ljs+8h9tdR1gEta0ejXDD9g= =u/p+ -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041110183046.GA3518>