Date: Fri, 12 May 2000 14:15:26 -0500 From: Brad Guillory <round@baileylink.net> To: Robert Watson <rwatson@FreeBSD.ORG> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Applying patches with out a compiler Message-ID: <20000512141525.F77275@baileylink.net> In-Reply-To: <Pine.NEB.3.96L.1000512145530.44824B-100000@fledge.watson.org>; from rwatson@FreeBSD.ORG on Fri, May 12, 2000 at 03:00:47PM -0400 References: <200005121852.OAA89027@giganda.komkon.org> <Pine.NEB.3.96L.1000512145530.44824B-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert, I think that you have sound goals and achievable objectives, the ingredients for a successful project. To accommodate the other camps (international version users for instance) I suggest that you make any tools and methodologies that you develop for the project available. You might consider your dependency stance. It would probably be easier for you to simply maintain a single package with incremental version numbers where each version contains all the fixes. I suspect that the number of binaries that will change over the course of a release will be minor. The usefulness of this project will probably be very limited if you do not address the kernel issue. Many security fixes that I have seen since I joined the list have been if the form of kernel patches. Good luck, BMG On Fri, May 12, 2000 at 03:00:47PM -0400, Robert Watson wrote: > > On of the simplifying assumptions here that makes the whole idea of binary > security updates feasible is that you are working from a well-known code > base. The service I'm willing to provide (and have time to provide) would > specifically target the most recent -RELEASE version, and be intended to > apply on an otherwise un-modified system. I would provide both KerberosIV > and non-Kerberos versions, as I support Kerberos on some of my own > machines; however, if it's going to get any more complicated than that, I > don't have time to implement it, but would be glad for someone else to > pick up the project. > > My thoughts on dependencies, et al, have been: > > 1) Binary patches will only be available against the most recent -RELEASE > 2) Binary patch packages will depend on all prior binary patches being > installed > 3) Source patches use to build the binary patched version seem like a good > idea. > > All of this is centered on requiring a very well-defined environment, in > which the patch will not break other patches installed, introduce new > holes, et al. As I said above, anything more complicated requires > rethinking, and should be done in the context of source revision control, > etc. This addresses only security concerns; if we want sliding version > management in a binary manner across -STABLE, that's another target for > another project :-). > > Robert N M Watson > > robert@fledge.watson.org http://www.watson.org/~robert/ > PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 > TIS Labs at Network Associates, Safeport Network Services > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- __O _-\<,_ Why drive when you can bike? (_)/ (_) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000512141525.F77275>