Date: Fri, 12 May 2000 18:46:00 +0100 From: David Pick <D.M.Pick@qmw.ac.uk> To: Robert Watson <rwatson@FreeBSD.ORG> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Applying patches with out a compiler Message-ID: <E12qJVg-0005ow-00@xi.css.qmw.ac.uk> In-Reply-To: Your message of "Fri, 12 May 2000 12:40:04 EDT." <Pine.NEB.3.96L.1000512123717.44824A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> For patches where it's appropriate, I've been strongly considering
> releasing "packages" that update the key parts of the base OS for security
> fixes. This would be similar to the BSD/OS patch level support for fixes,
> although restricted only to security stuff. This would provide access to
> security fixes for non-source-centric sites, which I think is important.
> With 4.0 I haven't had the opportunity to exercise this possibility as
> yet. :-)
>
> I.e.,
>
> pkg_add secpatch_4.0-RELEASE_001.tgz
>
> Would replace the faulty binaries with better ones, and leave behind a
> package install record so you could easily determine which security
> patches are installed. And if appropriate, could back up the original
> binaries allowing pkg_delete to restore the original state.
>
> Any thoughts on this?
Very useful.
A few points:
- We'd need to allow for USA/international versions, preferably with
different names. Perhaps a third "set" of names for the "patches"
that are independent of geography:
- secpatch_4.0-RELEASE_global-001
- secpatch_4.0-RELEASE_international-001
- secpatch_4.0-RELEASE_USAonly-001
- The automatic dependency system would be magic, especially if there
was a "top level" package listing the latest "patches"
- possibly another "set" containing *source* patches for the kernel
only, for the sites who need to rebuild the kernel but carry no
other sources, to make the installation of these important patches
easier and hence more likely to happen
A few questions:
- should each "patch" package have all the previous ones as dependencies?
- most package names seem to use the convention of a basic name, a hyphen,
then the version number; does this really matter so the package names
would need to be modifiled slightly?
- how sensitive can the system be made to the fact that different combinations
of distribution sets give defferent sets of binary programs: there's the
international/USA versions, but (as I've just realised), there's also
the issue of kerberos/non-kerberos versions of some binaries.
--
David Pick
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E12qJVg-0005ow-00>