Date: Fri, 12 May 2000 15:44:07 -0400 From: Derek Werthmuller <dwerthmu@ctg.albany.edu> To: 'Robert Watson' <rwatson@FreeBSD.ORG> Cc: freebsd-security@FreeBSD.ORG Subject: RE: Applying patches with out a compiler Message-ID: <7A71D0D43B9ED1119EC10008C756C3042F7703@ctg-nt.ctg.albany.edu>
next in thread | raw e-mail | index | archive | help
This could really take the OS to a new level of management, ease of use and potentially increase its use in the industry(which I believe is a goal). The pkg_add utilities work great, why not expand an already successful component. As far as using it to update the version the OS to a new release than this would be a great next step. I know for me, in the past when I went from one version to the next I rebuilt the system, the source upgrade has been had its problems for me. Derek -----Original Message----- From: Robert Watson [mailto:rwatson@FreeBSD.ORG] Sent: Friday, May 12, 2000 12:40 PM To: Derek Werthmuller Cc: freebsd-security@FreeBSD.ORG Subject: Re: Applying patches with out a compiler On Thu, 11 May 2000, Derek Werthmuller wrote: > I'm interested in applying standard "Release" versions of FreeBSD with out > using a compiler in the system. I generaly don't advise leaving a working > compiler in say a firewall or a hardened system. I know that I can have a > seperate system that I can use to connect via CVS and use that to update the > hardened systems. But doesn't that just keep my sources up to date and I > still need to build/build world every so often? Is there another way to > apply the security related patches ? For patches where it's appropriate, I've been strongly considering releasing "packages" that update the key parts of the base OS for security fixes. This would be similar to the BSD/OS patch level support for fixes, although restricted only to security stuff. This would provide access to security fixes for non-source-centric sites, which I think is important. With 4.0 I haven't had the opportunity to exercise this possibility as yet. :-) I.e., pkg_add secpatch_4.0-RELEASE_001.tgz Would replace the faulty binaries with better ones, and leave behind a package install record so you could easily determine which security patches are installed. And if appropriate, could back up the original binaries allowing pkg_delete to restore the original state. Any thoughts on this? Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7A71D0D43B9ED1119EC10008C756C3042F7703>