Date: Tue, 24 Apr 2001 19:08:51 +0200 From: "Karsten W. Rohrbach" <karsten@rohrbach.de> To: Kris Kennaway <kris@obsecurity.org> Cc: netch@segfault.kiev.ua, Rasputin <rara.rasputin@virgin.net>, freebsd-security@FreeBSD.ORG Subject: Re: Security Announcements & Incremental Patches Message-ID: <20010424190851.K1191@mail.webmonster.de> In-Reply-To: <20010422194329.A23392@xor.obsecurity.org>; from kris@obsecurity.org on Sun, Apr 22, 2001 at 07:43:29PM -0700 References: <bulk.49307.20010411114848@hub.freebsd.org> <Pine.BSF.4.21.0104111214510.52823-100000@roble.com> <20010412105356.A88231@dogma.freebsd-uk.eu.org> <20010422202144.A313@iv.nn.kiev.ua> <20010422194329.A23392@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris Kennaway(kris@obsecurity.org)@2001.04.22 19:43:29 +0000: > On Sun, Apr 22, 2001 at 08:21:44PM +0300, Valentin Nechayev wrote: > > > It is quite simple for any qualified FreeBSD admin, including FreeBSD > > FTP site team, to make patched binaries for all supported releases for > > any security advisory and put them for free download for such admins who > > has bad compiling skills; but it is not provided now, and anyone should > > No, it's not simple. You have to make sure you include all > dependencies of the change, everything the change depends on > (e.g. libraries with changes that are required by the updated > utility), and you have to test it in a variety of environments to make > sure it works as expected. It's relatively simple to make a package > from random pieces, it's quite difficult to test it and make sure that > it works. that said, it sounds more reasonable than the approach of some "vendors", "fixing" software and releasing it mostly untested. mostly the software gets pushed into the field without extensive testing and the user feedback may be taken as a basis for debugging the newly introduced "features" ;-) > > More to the point, it takes additional time, which is always the most > scarce resource in volunteer projects. Are you willing to help test > binary security packages by reinstalling your system to a clean > installation of 4.3-RELEASE, then applying and testing the package? the problem with testing security relevant fixes is that you have to conduct the test in a production environment. a clean room test setup will lead to nothing better than you could achieve by simply reading the code of the fixes... the problem is to recruit as many experienced admins who are really into server operations and know a lot about the bsd intrinsics and who are willing to test the fixes on their machines in the field. on the other hand, those machines you want to test the patches on have to be out-of-the-box installations with not many customizations. i do not think, that there are a lot of those boxes available since nearly every bigger organization creates their inhouse releases and/or customizes the base system by removing whole subsystems (like sendmail etc.) and running something different. so a lot of my freebsd installations go a "nonstandard" way in terms of system configuration, so binary fixes probably will not be 100% reliable to apply. > > Having said this, the RELENG_4_3 release branch is a step towards > allowing us to do this (since it's a known, constant base which is > expected to have few changes and therefore easy to manage > dependencies); there's the possibility of generating binary packages > for users of -RELEASE versions of FreeBSD starting with 4.3 only. definately. > > Kris cheers, /k -- > yes, i'm writing all lowercase. that's a fact. KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de [Key] [KeyID---] [Created-] [Fingerprint-------------------------------------] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010424190851.K1191>