Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 2 Jul 2002 12:28:33 -0400 (EDT)
From:      Chris BeHanna <behanna@zbzoom.net>
To:        FreeBSD-Hackers <FreeBSD-Hackers@FreeBSD.org>
Subject:   Re: FreeBSD Auto-update (Was: Re: resolv and dynamic linking to compatlibc)
Message-ID:  <20020702122124.T12768-100000@topperwein.dyndns.org>
In-Reply-To: <200207021519.IAA22280@fraser.sfu.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2 Jul 2002, Colin Andrew Percival wrote:

> [Apologies if this gets delivered twice; some broken DNS is causing mail
> sent via shaw.ca to bounce.]
>
> At 10:32 02/07/2002 -0400, Chris BeHanna wrote:
> >On Mon, 1 Jul 2002, Brett Glass wrote:
> >> Alas, ethics demand that [older code which is now known to have security
> >> flaws] be either taken offline or accompanied
> >> with a clear, visible, and strong warning.
> >
> >    Who is going to expend the time and effort to do this, and what
> >task should they let drop on the floor to get it done?
> >
> >> A snapshot of 4.6-STABLE should also be made and released as 4.6.1.
> >
> >   You could contribute to that, for a start, to make sure that the
> >modularity needed to plug in an update facility is designed in.  I'd
> >suggest piggybacking the update facility on top of portupgrade to
> >minimize duplication of effort.  That, of course, depends upon the
> >availability of known good binary packages with valid MD5 checksums
> >and/or PGP signatures, and that's a whole 'nother resource problem.
>
>   I'm new here (well, I've only been around for a bit over a year) so I'm
> probably hopelessly lost, but... what is wrong with making world and
> (GENERIC) kernel each time the 4.6 security branch is updated, and
> publishing (signed) lists of the form "if you have file X with md5 hash
> X_hash, replace it with file Y with md5 hash Y_hash" (where X is a local
> path, and Y is a URL)?

    That's the basic idea, in part.  If cons, for example, had the
ability to use a URL to point to a cache, this could work just ducky
(cons uses MD5 hashes rather than timestamps to determine if a file is
out-of-date.  That's a big win over make; however, cons can't yet do
parallel builds).

    If the base system were itself divided into packages, then a
solution based upon portupgrade could be employed.

    It requires someone to invest the time to set it up, and it
requires some dedicated, trusted hardware, as you point out below:

>   I'd do this myself, except that I don't have any secure system to do this,
> and I'd be horrified if anyone would trust binary updates coming from me
> anyway.

    Another part of the puzzle is generating and supplying trusted
precompiled packages from the ports tree.  Finally, the last link in
the chain is teaching sysinstall to automatically search for newer
packages than were burned onto the CD, so that it can prompt the user
to install the newer (presumably more secure) versions.

    Brett has been moaning for a very long time that this mechanism
isn't in place, but he hasn't lifted a finger to help put it in place.

-- 
Chris BeHanna                      http://www.pennasoft.com
Principal Consultant
PennaSoft Corporation
chris@pennasoft.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020702122124.T12768-100000>