From owner-freebsd-security  Fri May 12  9:40:12 2000
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 1E60337B5EB
	for <freebsd-security@FreeBSD.ORG>; Fri, 12 May 2000 09:40:10 -0700 (PDT)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id MAA48513;
	Fri, 12 May 2000 12:40:05 -0400 (EDT)
	(envelope-from robert@cyrus.watson.org)
Date: Fri, 12 May 2000 12:40:04 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.ORG>
X-Sender: robert@fledge.watson.org
To: Derek Werthmuller <dwerthmu@ctg.albany.edu>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Applying patches with out a compiler
In-Reply-To: <7A71D0D43B9ED1119EC10008C756C3042F76FB@ctg-nt.ctg.albany.edu>
Message-ID: <Pine.NEB.3.96L.1000512123717.44824A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 11 May 2000, Derek Werthmuller wrote:

> I'm interested in applying standard "Release" versions of FreeBSD with out
> using a compiler in the system.  I generaly don't advise leaving a working
> compiler in say a firewall or a hardened system.  I know that I can have a
> seperate system that I can use to connect via CVS and use that to update the
> hardened systems. But doesn't that just keep my sources up to date and I
> still need to build/build world every so often?   Is there another way to
> apply the security related patches ?

For patches where it's appropriate, I've been strongly considering
releasing "packages" that update the key parts of the base OS for security
fixes.  This would be similar to the BSD/OS patch level support for fixes,
although restricted only to security stuff.  This would provide access to
security fixes for non-source-centric sites, which I think is important. 
With 4.0 I haven't had the opportunity to exercise this possibility as
yet. :-)

I.e., 

  pkg_add secpatch_4.0-RELEASE_001.tgz

Would replace the faulty binaries with better ones, and leave behind a
package install record so you could easily determine which security
patches are installed.  And if appropriate, could back up the original
binaries allowing pkg_delete to restore the original state.

Any thoughts on this?

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message