From owner-freebsd-security Fri May 12 12:42:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from ctg-nt.ctg.albany.edu (ctg-nt.ctg.albany.edu [169.226.80.32]) by hub.freebsd.org (Postfix) with ESMTP id E7D2F37BE8C; Fri, 12 May 2000 12:42:41 -0700 (PDT) (envelope-from dwerthmu@ctg.albany.edu) Received: by ctg-nt.ctg.albany.edu with Internet Mail Service (5.5.2650.21) id ; Fri, 12 May 2000 15:44:15 -0400 Message-ID: <7A71D0D43B9ED1119EC10008C756C3042F7703@ctg-nt.ctg.albany.edu> From: Derek Werthmuller To: 'Robert Watson' Cc: freebsd-security@FreeBSD.ORG Subject: RE: Applying patches with out a compiler Date: Fri, 12 May 2000 15:44:07 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This could really take the OS to a new level of management, ease of use and potentially increase its use in the industry(which I believe is a goal). The pkg_add utilities work great, why not expand an already successful component. As far as using it to update the version the OS to a new release than this would be a great next step. I know for me, in the past when I went from one version to the next I rebuilt the system, the source upgrade has been had its problems for me. Derek -----Original Message----- From: Robert Watson [mailto:rwatson@FreeBSD.ORG] Sent: Friday, May 12, 2000 12:40 PM To: Derek Werthmuller Cc: freebsd-security@FreeBSD.ORG Subject: Re: Applying patches with out a compiler On Thu, 11 May 2000, Derek Werthmuller wrote: > I'm interested in applying standard "Release" versions of FreeBSD with out > using a compiler in the system. I generaly don't advise leaving a working > compiler in say a firewall or a hardened system. I know that I can have a > seperate system that I can use to connect via CVS and use that to update the > hardened systems. But doesn't that just keep my sources up to date and I > still need to build/build world every so often? Is there another way to > apply the security related patches ? For patches where it's appropriate, I've been strongly considering releasing "packages" that update the key parts of the base OS for security fixes. This would be similar to the BSD/OS patch level support for fixes, although restricted only to security stuff. This would provide access to security fixes for non-source-centric sites, which I think is important. With 4.0 I haven't had the opportunity to exercise this possibility as yet. :-) I.e., pkg_add secpatch_4.0-RELEASE_001.tgz Would replace the faulty binaries with better ones, and leave behind a package install record so you could easily determine which security patches are installed. And if appropriate, could back up the original binaries allowing pkg_delete to restore the original state. Any thoughts on this? Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message