From owner-freebsd-security Fri May 12 9:58:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 4D02237BF75; Fri, 12 May 2000 09:58:44 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id MAA86229; Fri, 12 May 2000 12:58:42 -0400 (EDT) From: Igor Roshchin Message-Id: <200005121658.MAA86229@giganda.komkon.org> Subject: Re: Applying patches with out a compiler In-Reply-To: from "Robert Watson" at "May 12, 2000 12:40:04 pm" To: "Robert Watson" Date: Fri, 12 May 2000 12:58:42 -0400 (EDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > For patches where it's appropriate, I've been strongly considering > releasing "packages" that update the key parts of the base OS for security > fixes. This would be similar to the BSD/OS patch level support for fixes, > although restricted only to security stuff. This would provide access to > security fixes for non-source-centric sites, which I think is important. > With 4.0 I haven't had the opportunity to exercise this possibility as > yet. :-) > > I.e., > > pkg_add secpatch_4.0-RELEASE_001.tgz > > Would replace the faulty binaries with better ones, and leave behind a > package install record so you could easily determine which security > patches are installed. And if appropriate, could back up the original > binaries allowing pkg_delete to restore the original state. > > Any thoughts on this? > > Robert N M Watson > That would be very useful for the production environment, as well as for the low-end computers, or just computers with limited resources. Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message