From owner-freebsd-hackers Wed Jan 23 10:19:53 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from q3.cybg.com (digex-ext.cybg.com [209.119.171.80]) by hub.freebsd.org (Postfix) with SMTP id 8D11937B405 for ; Wed, 23 Jan 2002 10:18:51 -0800 (PST) Message-ID: From: Beth Reid To: "'freebsd-hackers@freebsd.org'" Subject: FW: FreeBSD nonkernel patches/packages Date: Wed, 23 Jan 2002 13:15:20 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C1A439.F0617236" Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1A439.F0617236 Content-Type: text/plain; charset="iso-8859-1" -----Original Message----- From: Jacques A. Vidrine [mailto:n@nectar.cc] Sent: Wednesday, January 23, 2002 1:17 PM To: Beth Reid Cc: 'security-officer@FreeBSD.org' Subject: Re: FreeBSD nonkernel patches/packages Hello Beth, Many of the question you ask here will probably be better answered in another forum such as freebsd-hackers@freebsd.org. You are seeking understanding of the FreeBSD build process, and of the package creation process, and these are not specific to security. On Wed, Jan 23, 2002 at 01:02:34PM -0500, Beth Reid wrote: > Hi > > I have a few questions regarding non-kernel FreeBSD patch distribution. Any > information is really appreciated. If all of this is documented somewhere, > I would be happy to do the research if someone could point me to the > document. > > 1 ) If I produced a product based on FreeBSD 4.3, how would my customers get > the patches? > > I can see there was a binary distribution of the patches using pkg_add. > This seems to work very nicely in distributing patches to customers. > However, this process seemed to change with the openssh patch 01:63. The > binary distribution was for FreeBSD 4.4 only. How does one ship a binary > installation of that patch to their customers who are running 4.3? (Same > goes for patches 02:01 and 02:02.) The customer's system does not have > source. :-/ As noted in the advisory, the binary patches are an experimental delivery mechanism. You could certainly duplicate this experiment yourself. > 2) Do you provide a mechanism where I can create my own binary > installations using pkg_add? > > It seems I can use pkg_create. That seems to work fine, but can I get more > information on the packinglist file and what items to ship with each > distribution? > > I can create a very simple packinglist such as this for the 02:02 pw patch. [snip] > Or the following for the 01:63 sshd patch: [snip] Yes, that is essentially how it is done. > However, when I looked at the binary distribution for the sshd patch that is > available for FreeBSD 4.4, it included several shippables such as scp, > ssh_add, ssh-agent, ssh_keygen, sftp.... and all of the man pages). This > didn't seem necessary since the only file that was changed was session.c. > Was this done simply to reship the entire ssh product or did this package > just include everything that the make install would have rebuilt? The last released sshd patch included only `sshd', not the items you note above. Probably you are thinking about the OpenSSH /ports/. We do not provide binary patches for ports. Rather, users are instructed to update to new packages, and these packages are indeed complete. > 3) What about patches that patch libraries which impact several executables? > > > If there is a patch that patches a library (similar to the old 01:40) patch, > how do you know which commands that it would impact and which to include in > the binary package? It depends. If one patches libc, one would have to also patch all statically linked executables for example. Library dependencies are documented primarily in the Makefiles for FreeBSD. > Would it be documented in the README? What README? > I suppose the long and short of it is, if I am creating my own binary > installations, how can I be sure what to include in the tarballs. Do I have > to rely on combining information from the Readme, .patch file, and Makefile > as a guide? Yes. In our advisories for the base system, we now try to include all the revisions and source files [1]. You will have to derive what binaries are affected from that. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se [1] In the `Correction details' section. ------_=_NextPart_001_01C1A439.F0617236 Content-Type: text/html; charset="iso-8859-1" FW: FreeBSD nonkernel patches/packages

-----Original Message-----
From: Jacques A. Vidrine [mailto:n@nectar.cc]
Sent: Wednesday, January 23, 2002 1:17 PM
To: Beth Reid
Cc: 'security-officer@FreeBSD.org'
Subject: Re: FreeBSD nonkernel patches/packages


Hello Beth,

Many of the question you ask here will probably be better answered in
another forum such as freebsd-hackers@freebsd.org.  You are seeking
understanding of the FreeBSD build process, and of the package
creation process, and these are not specific to security.

On Wed, Jan 23, 2002 at 01:02:34PM -0500, Beth Reid wrote:
> Hi
>
> I have a few questions regarding non-kernel FreeBSD patch distribution.  Any
> information is really appreciated.  If all of this is documented somewhere,
> I would be happy to do the research if someone could point me to the
> document.
>
> 1 ) If I produced a product based on FreeBSD 4.3, how would my customers get
> the patches?
>
> I can see there was a binary distribution of the patches using pkg_add.
> This seems to work very nicely in distributing patches to customers.
> However, this process seemed to change with the openssh patch 01:63.  The
> binary distribution was for FreeBSD 4.4 only.  How does one ship a binary
> installation of that patch to their customers who are running 4.3?  (Same
> goes for patches 02:01 and 02:02.)  The customer's system does not have
> source. :-/

As noted in the advisory, the binary patches are an experimental
delivery mechanism.  You could certainly duplicate this experiment
yourself.
 
> 2)  Do you provide a mechanism where I can create my own binary
> installations using pkg_add?
>
> It seems I can use pkg_create.  That seems to work fine, but can I get more
> information on the packinglist file and what items to ship with each
> distribution? 
>
> I can create a very simple packinglist such as this for the 02:02 pw patch.
[snip]
> Or the following for the 01:63 sshd patch:
[snip]

Yes, that is essentially how it is done.

> However, when I looked at the binary distribution for the sshd patch that is
> available for FreeBSD 4.4, it included several shippables such as scp,
> ssh_add, ssh-agent, ssh_keygen, sftp.... and all of the man pages).  This
> didn't seem necessary since the only file that was changed was session.c.
> Was this done simply to reship the entire ssh product or did this package
> just include everything that the make install would have rebuilt?

The last released sshd patch included only `sshd', not the items you
note above.  Probably you are thinking about the OpenSSH /ports/.  We
do not provide binary patches for ports.  Rather, users are instructed
to update to new packages, and these packages are indeed complete.
 
> 3) What about patches that patch libraries which impact several executables?
>
>
> If there is a patch that patches a library (similar to the old 01:40) patch,
> how do you know which commands that it would impact and which to include in
> the binary package? 

It depends.  If one patches libc, one would have to also patch all
statically linked executables for example.   Library dependencies are
documented primarily in the Makefiles for FreeBSD.

> Would it be documented in the README?

What README?
 
> I suppose the long and short of it is, if I am creating my own binary
> installations, how can I be sure what to include in the tarballs.  Do I have
> to rely on combining information from the Readme, .patch file, and Makefile
> as a guide?

Yes.  In our advisories for the base system, we now try to include all
the revisions and source files [1].  You will have to derive what
binaries are affected from that.

Cheers,
--
Jacques A. Vidrine <n@nectar.cc>                 http://www.nectar.cc/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se

[1] In the `Correction details' section.

------_=_NextPart_001_01C1A439.F0617236-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message