Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 18 Dec 2000 11:25:08 +0200
From:      Nevermind <never@nevermind.kiev.ua>
To:        Roman Shterenzon <roman@xpert.com>
Cc:        Kris Kennaway <kris@FreeBSD.ORG>, Some Person <ntvsunix@hotmail.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: Security Update Tool..
Message-ID:  <20001218112508.E607@nevermind.kiev.ua>
In-Reply-To: <Pine.LNX.4.30.0012161716370.32357-100000@jamus.xpert.com>; from roman@xpert.com on Sat, Dec 16, 2000 at 05:23:24PM %2B0200
References:  <20001215200957.A10030@citusc.usc.edu> <Pine.LNX.4.30.0012161716370.32357-100000@jamus.xpert.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Roman Shterenzon!

On Sat, Dec 16, 2000 at 05:23:24PM +0200, you wrote:

> > Note that identification of vulnerabilities is different from
> > automated correction of vulnerabilities - in order to do that it needs
> > some fairly complicated infrastructure in the ports system to upgrade
> > ports/packages and handle dependencies etc. Not that I want to
> > dissuade anyone from working on this very worthy project :-)
> >
> > Kris
> 
> I'm the person Kris was talking about. I'm working on it, have little
> time, and switched to gnupg lately, but it'll be done eventually.
> Perhaps this thread will make me finish it earlier.
> I'd like to hear ideas which I will incorporate in it.
> Meanwhile the main idea is:
> 1) have a local directory for advisories
> 2) upon start, contact freebsd.org and check for newer advisories
> 3) check advisories with gnupg (security officer's pgp key has to be
> installed manually).
> 4) extract the valuable information from the advisory
> 5) check against /var/db/pkg/* (revisions, and before it was invented -
> dates, yes, I know it's weak, but I've nothing to with it).
> 6) depending on running mode, complain or upgrade (pkg_delete; pkg_install
> -r)
I think it would be much better if user will have an ability to choose if he
wants to install binary update or to build it from source.
> 7) anything else?
> Written in perl and will be called pkg_security.
> I guess it could be changed to sacheck if all binaries have the id in
> them, so using what(1) will reveal the cvs revision.
> 
> Looking forward for your comments,

-- 
Alexandr P. Kovalenko	http://nevermind.kiev.ua/
NEVE-RIPE


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001218112508.E607>