Date: Fri, 12 May 2000 12:40:04 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.ORG> To: Derek Werthmuller <dwerthmu@ctg.albany.edu> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Applying patches with out a compiler Message-ID: <Pine.NEB.3.96L.1000512123717.44824A-100000@fledge.watson.org> In-Reply-To: <7A71D0D43B9ED1119EC10008C756C3042F76FB@ctg-nt.ctg.albany.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 11 May 2000, Derek Werthmuller wrote: > I'm interested in applying standard "Release" versions of FreeBSD with out > using a compiler in the system. I generaly don't advise leaving a working > compiler in say a firewall or a hardened system. I know that I can have a > seperate system that I can use to connect via CVS and use that to update the > hardened systems. But doesn't that just keep my sources up to date and I > still need to build/build world every so often? Is there another way to > apply the security related patches ? For patches where it's appropriate, I've been strongly considering releasing "packages" that update the key parts of the base OS for security fixes. This would be similar to the BSD/OS patch level support for fixes, although restricted only to security stuff. This would provide access to security fixes for non-source-centric sites, which I think is important. With 4.0 I haven't had the opportunity to exercise this possibility as yet. :-) I.e., pkg_add secpatch_4.0-RELEASE_001.tgz Would replace the faulty binaries with better ones, and leave behind a package install record so you could easily determine which security patches are installed. And if appropriate, could back up the original binaries allowing pkg_delete to restore the original state. Any thoughts on this? Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000512123717.44824A-100000>