Date: Fri, 12 May 2000 15:06:39 -0600 From: Wes Peters <wes@softweyr.com> To: David Pick <D.M.Pick@qmw.ac.uk> Cc: Robert Watson <rwatson@FreeBSD.ORG>, freebsd-security@FreeBSD.ORG Subject: Re: Applying patches with out a compiler Message-ID: <391C725F.CF89DA4A@softweyr.com> References: <E12qJVg-0005ow-00@xi.css.qmw.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
David Pick wrote:
>
> > For patches where it's appropriate, I've been strongly considering
> > releasing "packages" that update the key parts of the base OS for security
> > fixes. This would be similar to the BSD/OS patch level support for fixes,
> > although restricted only to security stuff. This would provide access to
> > security fixes for non-source-centric sites, which I think is important.
> > With 4.0 I haven't had the opportunity to exercise this possibility as
> > yet. :-)
> >
> > I.e.,
> >
> > pkg_add secpatch_4.0-RELEASE_001.tgz
> >
> > Would replace the faulty binaries with better ones, and leave behind a
> > package install record so you could easily determine which security
> > patches are installed. And if appropriate, could back up the original
> > binaries allowing pkg_delete to restore the original state.
> >
> > Any thoughts on this?
>
> Very useful.
>
> A few points:
> - We'd need to allow for USA/international versions, preferably with
> different names. Perhaps a third "set" of names for the "patches"
> that are independent of geography:
> - secpatch_4.0-RELEASE_global-001
> - secpatch_4.0-RELEASE_international-001
> - secpatch_4.0-RELEASE_USAonly-001
Ugh. There's gotta be a better way. Please read below.
> - The automatic dependency system would be magic, especially if there
> was a "top level" package listing the latest "patches"
Yeah, yeah, we could call them "Service Packs." Or not.
> - possibly another "set" containing *source* patches for the kernel
> only, for the sites who need to rebuild the kernel but carry no
> other sources, to make the installation of these important patches
> easier and hence more likely to happen
>
> A few questions:
> - should each "patch" package have all the previous ones as dependencies?
Only the ones this patch really depends on.
> - most package names seem to use the convention of a basic name, a hyphen,
> then the version number; does this really matter so the package names
> would need to be modifiled slightly?
I think the version numbers are part of the dependency magic, but haven't
verified this.
> - how sensitive can the system be made to the fact that different combinations
> of distribution sets give defferent sets of binary programs: there's the
> international/USA versions, but (as I've just realised), there's also
> the issue of kerberos/non-kerberos versions of some binaries.
Ick. I'd like to point out that Jordan is trying very very hard to solve
these problems, and others, for real. Attempting to extend what we have
now is probably not the best way to carry on.
The project Jordan wishes to muster would address all the issues we've
covered above, and others like what happens when the config file format
changes between versions (automagically suck the settings out of the old
one and put them into the new one is the RIGHT answer), and adding new
entries into existing files, and ripping them back out when downgrading.
If you're really interested in helping with the real effort, email
jkh@freebsd.org and tell him you want to join the fun. He might even have
an employment opportunity for you. ;^)
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?391C725F.CF89DA4A>