From owner-freebsd-security Sun Dec 17 19:43:19 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 17 19:43:15 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hal9000.bsdonline.org (ffaxvawx3-4-047.cox.rr.com [24.168.203.47]) by hub.freebsd.org (Postfix) with ESMTP id D09CF37B400 for ; Sun, 17 Dec 2000 19:43:14 -0800 (PST) Received: by hal9000.bsdonline.org (Postfix, from userid 1001) id BEC9D1F25; Sun, 17 Dec 2000 22:43:03 -0500 (EST) Date: Sun, 17 Dec 2000 22:43:03 -0500 From: Andrew J Caines To: FreeBSD Security Subject: Re: Security Update Tool.. Message-ID: <20001217224303.B403@hal9000.bsdonline.org> Reply-To: Andrew J Caines Mail-Followup-To: FreeBSD Security References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from marquis@roble.com on Sat, Dec 16, 2000 at 10:34:07PM -0800 Organization: H.A.L. Plant X-Powered-by: FreeBSD 4.2-STABLE Importance: Normal Sender: ajc@hal9000.bsdonline.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To add to Roger Marquis's pointer, > Before reinventing the wheel interested developers might check the > reference implementation, Sun's Patchdiag: For those without Sun experience and a SunSolve account, patchdiag uses Solaris' package and patch system and compare the current package and patch list to a "cross reference" file (currently 654kB) available from SunSolve which reflects the latest patches. The output is a report showing what how the systems patch level compare to the latest patch list from Sun. Here's a sample: INSTALLED PATCHES Patch Installed Latest Synopsis ID Revision Revision ------ --------- -------- ------------------------------------------------------------ 106146 15 16 SunOS 5.7: M64 Graphics Patch 106147 06 CURRENT SunOS 5.7: VIS/XIL Graphics Patch 106148 12 CURRENT SunOS 5.7: XFB Graphics Patch 106300 09 CURRENT SunOS 5.7: Shared library patch for 64bit C++ 106327 08 CURRENT SunOS 5.7: Shared library patch for C++ 106541 12 14 SunOS 5.7: Kernel update patch 106725 02 CURRENT OpenWindows 3.6.1: mailtool vacation security patch 106733 07 CURRENT SunOS 5.7: Create a patch analyzer 106748 04 CURRENT SunOS 5.7: /usr/ccs/bin/sccs and /usr/ccs/bin/make patch 106793 05 CURRENT SunOS 5.7: ufsdump and ufsrestore patch 106812 04 CURRENT OBSOLETED by 107432 Patches are also grouped into catagories, such as "recommended", "security" and "Y2K". Sun has also make fetching the patches much easier with the "autopatch" facility which enables you to download patches with wget of a URL based on expressions which match the patch number, eg. wget -m -L -l2 -A "105160*" http://sunsolve.sun.com/private-cgi/pls.pl?arg=105160* I've not yet come across any glue which sticks these two pieces together, although it would be very simple to make. The reason is probably the same as the one which has been suggested as the reason for not having an automated update tool here - that the choice to make changes to the system is one for the sysadmin to make, based on information made available. In Sun's case, they've made both ends of the job easy - patchdiag to identify patches and autopatch+patchadd to get apply them. Of course, this all applies only to Sun's packages. I have not seen anyone come up with additional cross reference file entries for other packages. I'll leave comparisons to FreeBSD's model and tools, along with suggestions for enhancement to others for now. Note, however, that Solaris is based on a package system for everything and that packages and patches are binary. -Andrew- -- _______________________________________________________________________ | -Andrew J. Caines- Unix Systems Engineer A.J.Caines@altavista.net | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message