From owner-freebsd-hackers Tue Jul 2 9:28:44 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 525A437B401 for ; Tue, 2 Jul 2002 09:28:40 -0700 (PDT) Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D42443E0A for ; Tue, 2 Jul 2002 09:28:39 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.12.5/8.12.5) with ESMTP id g62GSctl013507 for ; Tue, 2 Jul 2002 12:28:38 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Tue, 2 Jul 2002 12:28:33 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD-Hackers Subject: Re: FreeBSD Auto-update (Was: Re: resolv and dynamic linking to compatlibc) In-Reply-To: <200207021519.IAA22280@fraser.sfu.ca> Message-ID: <20020702122124.T12768-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 2 Jul 2002, Colin Andrew Percival wrote: > [Apologies if this gets delivered twice; some broken DNS is causing mail > sent via shaw.ca to bounce.] > > At 10:32 02/07/2002 -0400, Chris BeHanna wrote: > >On Mon, 1 Jul 2002, Brett Glass wrote: > >> Alas, ethics demand that [older code which is now known to have security > >> flaws] be either taken offline or accompanied > >> with a clear, visible, and strong warning. > > > > Who is going to expend the time and effort to do this, and what > >task should they let drop on the floor to get it done? > > > >> A snapshot of 4.6-STABLE should also be made and released as 4.6.1. > > > > You could contribute to that, for a start, to make sure that the > >modularity needed to plug in an update facility is designed in. I'd > >suggest piggybacking the update facility on top of portupgrade to > >minimize duplication of effort. That, of course, depends upon the > >availability of known good binary packages with valid MD5 checksums > >and/or PGP signatures, and that's a whole 'nother resource problem. > > I'm new here (well, I've only been around for a bit over a year) so I'm > probably hopelessly lost, but... what is wrong with making world and > (GENERIC) kernel each time the 4.6 security branch is updated, and > publishing (signed) lists of the form "if you have file X with md5 hash > X_hash, replace it with file Y with md5 hash Y_hash" (where X is a local > path, and Y is a URL)? That's the basic idea, in part. If cons, for example, had the ability to use a URL to point to a cache, this could work just ducky (cons uses MD5 hashes rather than timestamps to determine if a file is out-of-date. That's a big win over make; however, cons can't yet do parallel builds). If the base system were itself divided into packages, then a solution based upon portupgrade could be employed. It requires someone to invest the time to set it up, and it requires some dedicated, trusted hardware, as you point out below: > I'd do this myself, except that I don't have any secure system to do this, > and I'd be horrified if anyone would trust binary updates coming from me > anyway. Another part of the puzzle is generating and supplying trusted precompiled packages from the ports tree. Finally, the last link in the chain is teaching sysinstall to automatically search for newer packages than were burned onto the CD, so that it can prompt the user to install the newer (presumably more secure) versions. Brett has been moaning for a very long time that this mechanism isn't in place, but he hasn't lifted a finger to help put it in place. -- Chris BeHanna http://www.pennasoft.com Principal Consultant PennaSoft Corporation chris@pennasoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message