Date: Sun, 5 Aug 2001 02:01:40 +0300 From: Alex Popa <razor@ldc.ro> To: Bill Moran <wmoran@iowna.com> Cc: freebsd-stable@FreeBSD.ORG Subject: Re: A way to tell wich security patches are installed [Was: RELENG_4_3 calls itself -RELEASE?] Message-ID: <20010805020140.A93455@ldc.ro> In-Reply-To: <3B6BFF94.F11BBACE@iowna.com>; from wmoran@iowna.com on Sat, Aug 04, 2001 at 09:58:44AM -0400 References: <20010803135402.94163.qmail@web14001.mail.yahoo.com> <20010803114937X.jkh@freebsd.org> <01080403365700.00392@spatula.home> <3B6BFF94.F11BBACE@iowna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 04, 2001 at 09:58:44AM -0400, Bill Moran wrote: > Why not 4.4.1-RELEASE, 4.4.2-RELEASE, etc > It's simple, to the point. Implies upgrades. Allows you to quickly determine > exactly how current a particular system is with regards to patches, and > follows long-standing conventions. > > Just my $.02 > -Bill > Because there are two kinds of patches applied to the RELENG_4_3 branch, some kernel patches and some userland patches, there are a few problems I have seen mentioned: 1) A userland patch like telnetd does not require you to reboot, so why go through that and recompiling a kernel just to have an updated "uname -r". 2) A kernel patch requires you to reboot, so a change in the uname -r output can be seen. What I suggest is as follows: have the uname-r change after the first patch (RELEASEPLUS or anything you suggest, just have an indication that something has changed from the original -RELEASE). Keep a patch level for the kernel in the -RELEASEPLUS tag (something like RELEASEPLUS01, 02...) and have the userland patches install an empty file with a suggestive name in a standard location (probably under /var), something like /var/patches/telnetd-01, /var/patches/openssl-01, etc. These files under /var/patches could be created by the Makefiles of the respective daemons/programs/libraries, on install, if upgrading via source. Also, the upgrading via packages could probably add those files just as easily. I am not sure wether there are other methods of upgrading (I count build/installworld as a source upgrade, and this could also clean /var/patches). Since the latest upgrade of the program should leave the latest "patch evidence", it should be easy to just have a look at /var/patches and see "Oh, I missed the openssl upgrade". To avoid problems of installing older packages, the install script could clean other patch evidence regarding to that package, like "rm /var/patches/telnetd-*; touch /var/patches/telnetd-01". This way accidentally downgrading a package should also be noticed. Kernel upgrades should be reflected in uname, so those are not that complicated. It might be worth noting that this still leaves questions like "I have 4.3-RELEASEPLUS02, is my telnetd vulnerable" answered a little oddly, "Check that you have at least /var/patches/telnetd-01 or you are vulnerable". Sorry if this does not make much sense, it is 01:51am now and I need sleep. (on a side note, -FAIRINGS seems like a good idea) Have Fun! Alex ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010805020140.A93455>