From owner-freebsd-security Fri May 12 12: 1:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id BB3B737B715 for ; Fri, 12 May 2000 12:01:25 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id PAA49430; Fri, 12 May 2000 15:00:47 -0400 (EDT) (envelope-from robert@cyrus.watson.org) Date: Fri, 12 May 2000 15:00:47 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Igor Roshchin Cc: David Pick , freebsd-security@FreeBSD.ORG Subject: Re: Applying patches with out a compiler In-Reply-To: <200005121852.OAA89027@giganda.komkon.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On of the simplifying assumptions here that makes the whole idea of binary security updates feasible is that you are working from a well-known code base. The service I'm willing to provide (and have time to provide) would specifically target the most recent -RELEASE version, and be intended to apply on an otherwise un-modified system. I would provive both KerberosIV and non-Kerberos versions, as I support Kerberos on some of my own machines; however, if it's going to get any more complicated than that, I don't have time to implement it, but would be glad for someone else to pick up the project. My thoughts on dependencies, et al, have been: 1) Binary patches will only be available against the most recent -RELEASE 2) Binary patch packages will depend on all prior binary patches being installed 3) Source patches use to build the binary patched version seem like a good idea. All of this is centered on requiring a very well-defined environment, in which the patch will not break other patches installed, introduce new holes, et al. As I said above, anything more complicated requires rethinking, and should be done in the context of source revision control, etc. This addresses only security concerns; if we want sliding version management in a binary manner across -STABLE, that's another target for another project :-). Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message