From owner-freebsd-security Thu Aug 16 7:43:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 08ECC37B406 for ; Thu, 16 Aug 2001 07:43:24 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.4/8.11.4) with SMTP id f7GEh8f84673; Thu, 16 Aug 2001 10:43:08 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 16 Aug 2001 10:43:08 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: David_May@allsolutions.com.au Cc: freebsd-security@freebsd.org Subject: Re: Distributions of security patches. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 16 Aug 2001 David_May@allsolutions.com.au wrote: > I have just been through a process of attempting to streamline the > installation of security patches to our FreeBSD machines. There has to > be a better way. > > Here, we install our systems from FreeBSD RELEASE CD-ROMS that we > purchase. Given that so much effort has gone in to making FreeBSD > releases easy to install it is a shame that it is not easy to install > patches to the base system in the same way. > > Is there a good reason occasional BINARY patches containing ESSENTIAL > UPDATES to FreeBSD releases are be made available for download from > FreeBSD.ORG? > > It seems a bit silly that at www.freebsd.org there is an IMPORTANT > NOTICE about a telnet demon exploit but no link for DOWNLOAD BINARY > PATCH FROM HERE! > > Personally, I would even be happy to pay a bit more for my FreeBSD CDs > for the privilege of avoiding all the CVSUPing or CTMing and > re-compiling the ENTIRE SYSTEM just to ensure I have not missed a > security patch to telnetd or whatever. As of FreeBSD 4.3-RELEASE, the FreeBSD project has provided binary updates for significant security problems, as well as the ability to pick up and apply automatically all security patches against the release using CVS or cvsup. Information on the binary patch available is included with each advisory, including instructions on how to download and install the binary patch. To pick up all the security patches (and no other changes), you can use the "release branch" with cvs or cvsup. In the case of 4.3-RELEASE, the branch name is RELENG_4_3; once 4.4-RELEASE goes out the door, patches will be applied to RELENG_4_4. This is the same version control mechanism used to generate the patches, so should contain everything you need so you can build precisely once, if that's what you'd like to do. Or you can track -STABLE (RELENG_4) and get the new features as well as security fixes, but that may be less appealing to production users. Take a look at the advisories, and if you have any questions or concerns about them, feel free to post to this mailing list. Obviously, we'd like to keep improving the system, but it does sound like most of your concerns are addressed by what's currently in place. One idea I've been looking at is making the packages available via a special package collection that sysinstall can point itself at, as well as providing a magic "all_security.tgz" package that has dependencies against all current binary updates, but that doesn't register itself, so that repeated pkg_add -r's pick up any new changes each time they run. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message