Date: Mon, 18 Dec 2000 12:38:46 +0200 (IST) From: Roman Shterenzon <roman@xpert.com> To: Nevermind <never@nevermind.kiev.ua> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: Security Update Tool.. Message-ID: <Pine.LNX.4.30.0012181237220.5701-100000@jamus.xpert.com> In-Reply-To: <20001218112508.E607@nevermind.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 18 Dec 2000, Nevermind wrote: > Hello, Roman Shterenzon! > > On Sat, Dec 16, 2000 at 05:23:24PM +0200, you wrote: > > > > Note that identification of vulnerabilities is different from > > > automated correction of vulnerabilities - in order to do that it needs > > > some fairly complicated infrastructure in the ports system to upgrade > > > ports/packages and handle dependencies etc. Not that I want to > > > dissuade anyone from working on this very worthy project :-) > > > > > > Kris > > > > I'm the person Kris was talking about. I'm working on it, have little > > time, and switched to gnupg lately, but it'll be done eventually. > > Perhaps this thread will make me finish it earlier. > > I'd like to hear ideas which I will incorporate in it. > > Meanwhile the main idea is: > > 1) have a local directory for advisories > > 2) upon start, contact freebsd.org and check for newer advisories > > 3) check advisories with gnupg (security officer's pgp key has to be > > installed manually). > > 4) extract the valuable information from the advisory > > 5) check against /var/db/pkg/* (revisions, and before it was invented - > > dates, yes, I know it's weak, but I've nothing to with it). > > 6) depending on running mode, complain or upgrade (pkg_delete; pkg_install > > -r) > I think it would be much better if user will have an ability to choose if he > wants to install binary update or to build it from source. hmm.. I can make it an option, but tell me, why? if user has some local modifications, he'll prefer doing it by himself anyway, and by the time advisory is released the binary probably exists already. > > 7) anything else? > > Written in perl and will be called pkg_security. > > I guess it could be changed to sacheck if all binaries have the id in > > them, so using what(1) will reveal the cvs revision. > > > > Looking forward for your comments, > > -- > Alexandr P. Kovalenko http://nevermind.kiev.ua/ > NEVE-RIPE > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.30.0012181237220.5701-100000>