From owner-freebsd-security Mon Dec 18 1:27:36 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 18 01:27:34 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from nevermind.kiev.ua (unknown [212.109.53.33]) by hub.freebsd.org (Postfix) with ESMTP id 154D137B404; Mon, 18 Dec 2000 01:27:31 -0800 (PST) Received: (from never@localhost) by nevermind.kiev.ua (8.11.1/8.11.1) id eBI9P8X05251; Mon, 18 Dec 2000 11:25:08 +0200 (EET) (envelope-from never) Date: Mon, 18 Dec 2000 11:25:08 +0200 From: Nevermind To: Roman Shterenzon Cc: Kris Kennaway , Some Person , freebsd-security@FreeBSD.ORG Subject: Re: Security Update Tool.. Message-ID: <20001218112508.E607@nevermind.kiev.ua> References: <20001215200957.A10030@citusc.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from roman@xpert.com on Sat, Dec 16, 2000 at 05:23:24PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Roman Shterenzon! On Sat, Dec 16, 2000 at 05:23:24PM +0200, you wrote: > > Note that identification of vulnerabilities is different from > > automated correction of vulnerabilities - in order to do that it needs > > some fairly complicated infrastructure in the ports system to upgrade > > ports/packages and handle dependencies etc. Not that I want to > > dissuade anyone from working on this very worthy project :-) > > > > Kris > > I'm the person Kris was talking about. I'm working on it, have little > time, and switched to gnupg lately, but it'll be done eventually. > Perhaps this thread will make me finish it earlier. > I'd like to hear ideas which I will incorporate in it. > Meanwhile the main idea is: > 1) have a local directory for advisories > 2) upon start, contact freebsd.org and check for newer advisories > 3) check advisories with gnupg (security officer's pgp key has to be > installed manually). > 4) extract the valuable information from the advisory > 5) check against /var/db/pkg/* (revisions, and before it was invented - > dates, yes, I know it's weak, but I've nothing to with it). > 6) depending on running mode, complain or upgrade (pkg_delete; pkg_install > -r) I think it would be much better if user will have an ability to choose if he wants to install binary update or to build it from source. > 7) anything else? > Written in perl and will be called pkg_security. > I guess it could be changed to sacheck if all binaries have the id in > them, so using what(1) will reveal the cvs revision. > > Looking forward for your comments, -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message