From owner-freebsd-security Fri May 12 10:46:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id B655B37B5DE; Fri, 12 May 2000 10:46:07 -0700 (PDT) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.02 #1) id 12qJVf-0000Ki-00; Fri, 12 May 2000 18:45:59 +0100 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 12qJVg-0005ow-00; Fri, 12 May 2000 18:46:00 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: Robert Watson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Applying patches with out a compiler In-reply-to: Your message of "Fri, 12 May 2000 12:40:04 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 12 May 2000 18:46:00 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > For patches where it's appropriate, I've been strongly considering > releasing "packages" that update the key parts of the base OS for security > fixes. This would be similar to the BSD/OS patch level support for fixes, > although restricted only to security stuff. This would provide access to > security fixes for non-source-centric sites, which I think is important. > With 4.0 I haven't had the opportunity to exercise this possibility as > yet. :-) > > I.e., > > pkg_add secpatch_4.0-RELEASE_001.tgz > > Would replace the faulty binaries with better ones, and leave behind a > package install record so you could easily determine which security > patches are installed. And if appropriate, could back up the original > binaries allowing pkg_delete to restore the original state. > > Any thoughts on this? Very useful. A few points: - We'd need to allow for USA/international versions, preferably with different names. Perhaps a third "set" of names for the "patches" that are independent of geography: - secpatch_4.0-RELEASE_global-001 - secpatch_4.0-RELEASE_international-001 - secpatch_4.0-RELEASE_USAonly-001 - The automatic dependency system would be magic, especially if there was a "top level" package listing the latest "patches" - possibly another "set" containing *source* patches for the kernel only, for the sites who need to rebuild the kernel but carry no other sources, to make the installation of these important patches easier and hence more likely to happen A few questions: - should each "patch" package have all the previous ones as dependencies? - most package names seem to use the convention of a basic name, a hyphen, then the version number; does this really matter so the package names would need to be modifiled slightly? - how sensitive can the system be made to the fact that different combinations of distribution sets give defferent sets of binary programs: there's the international/USA versions, but (as I've just realised), there's also the issue of kerberos/non-kerberos versions of some binaries. -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message