Date: Mon, 18 Dec 2000 11:25:08 +0200 From: Nevermind <never@nevermind.kiev.ua> To: Roman Shterenzon <roman@xpert.com> Cc: Kris Kennaway <kris@FreeBSD.ORG>, Some Person <ntvsunix@hotmail.com>, freebsd-security@FreeBSD.ORG Subject: Re: Security Update Tool.. Message-ID: <20001218112508.E607@nevermind.kiev.ua> In-Reply-To: <Pine.LNX.4.30.0012161716370.32357-100000@jamus.xpert.com>; from roman@xpert.com on Sat, Dec 16, 2000 at 05:23:24PM %2B0200 References: <20001215200957.A10030@citusc.usc.edu> <Pine.LNX.4.30.0012161716370.32357-100000@jamus.xpert.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Roman Shterenzon! On Sat, Dec 16, 2000 at 05:23:24PM +0200, you wrote: > > Note that identification of vulnerabilities is different from > > automated correction of vulnerabilities - in order to do that it needs > > some fairly complicated infrastructure in the ports system to upgrade > > ports/packages and handle dependencies etc. Not that I want to > > dissuade anyone from working on this very worthy project :-) > > > > Kris > > I'm the person Kris was talking about. I'm working on it, have little > time, and switched to gnupg lately, but it'll be done eventually. > Perhaps this thread will make me finish it earlier. > I'd like to hear ideas which I will incorporate in it. > Meanwhile the main idea is: > 1) have a local directory for advisories > 2) upon start, contact freebsd.org and check for newer advisories > 3) check advisories with gnupg (security officer's pgp key has to be > installed manually). > 4) extract the valuable information from the advisory > 5) check against /var/db/pkg/* (revisions, and before it was invented - > dates, yes, I know it's weak, but I've nothing to with it). > 6) depending on running mode, complain or upgrade (pkg_delete; pkg_install > -r) I think it would be much better if user will have an ability to choose if he wants to install binary update or to build it from source. > 7) anything else? > Written in perl and will be called pkg_security. > I guess it could be changed to sacheck if all binaries have the id in > them, so using what(1) will reveal the cvs revision. > > Looking forward for your comments, -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001218112508.E607>