From owner-freebsd-vuxml@FreeBSD.ORG Sun Aug 22 20:54:51 2004 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9579D16A4CE; Sun, 22 Aug 2004 20:54:51 +0000 (GMT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54C0243D1D; Sun, 22 Aug 2004 20:54:51 +0000 (GMT) (envelope-from nectar@celabo.org) Received: from localhost (localhost [127.0.0.1]) by gw.celabo.org (Postfix) with ESMTP id 969F85487F; Sun, 22 Aug 2004 15:54:50 -0500 (CDT) Received: from gw.celabo.org ([127.0.0.1]) by localhost (hellblazer.celabo.org [127.0.0.1]) (amavisd-new, port 10024) with SMTP id 16006-10; Sun, 22 Aug 2004 15:54:39 -0500 (CDT) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (not verified)) by gw.celabo.org (Postfix) with ESMTP id D23E154861; Sun, 22 Aug 2004 15:54:39 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 7FB2C6D468; Sun, 22 Aug 2004 15:54:30 -0500 (CDT) Date: Sun, 22 Aug 2004 15:54:30 -0500 From: "Jacques A. Vidrine" To: Oliver Eikemeier Message-ID: <20040822205430.GD17478@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Oliver Eikemeier , Pete Fritchman , Tom Rhodes , freebsd-vuxml@FreeBSD.org References: <20040822194025.GB17478@madman.celabo.org> <8D9F2B2C-F47B-11D8-8CAA-00039312D914@fillmore-labs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8D9F2B2C-F47B-11D8-8CAA-00039312D914@fillmore-labs.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.6i cc: freebsd-vuxml@FreeBSD.org cc: Tom Rhodes cc: Pete Fritchman Subject: Re: determining vulnerable FreeBSD system components [Was: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml] X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 22 Aug 2004 20:54:51 -0000 On Sun, Aug 22, 2004 at 10:40:50PM +0200, Oliver Eikemeier wrote: > Yup. We should use __FreeBSD_version for -STABLE and -CURRENT, since > this is easy determinable. __FreeBSD_version is not and should not be bumped for security updates. It is strictly for source (and perhaps in some cases, binary) code compatibility, and security updates do not (should not) impact code compatibility. > I now -CURRENT is not supported, but it would > be useful nevertheless. I don't know how to handle release branches > though. Especially when only the affected binary is patched, without > rebooting the system (and possibly bumping __FreeBSD_version). Maybe we > should invent some kind of global registry where the (security) patches > applied are recorded. Yeah, that has also come up before. Perhaps we should pick it up again. Also, this kinda relates to Julian's desire to have the advisories in the source tree, so that when you checked out say RELENG_4_10, you would get all the advisories that affected 4.10 (and ONLY those advisories). That could of course work for -STABLE and -CURRENT as well, but IIRC there were some objections due to the realities of how we manage the source tree. For example, I would not like to need to have N different advisories for N different branches (i.e. branching the advisory in CVS), but re@ has reasons they do not want to allow the sliding of tags within src/. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org