Date: Sun, 22 Aug 2004 14:40:25 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Oliver Eikemeier <eikemeier@fillmore-labs.com> Cc: Pete Fritchman <petef@absolutbsd.org> Subject: Re: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml Message-ID: <20040822194025.GB17478@madman.celabo.org> In-Reply-To: <1F055B5E-F084-11D8-924A-00039312D914@fillmore-labs.com> References: <20040817185332.2B91D1800A@sirius.firepipe.net> <1F055B5E-F084-11D8-924A-00039312D914@fillmore-labs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Aug 17, 2004 at 09:32:05PM +0200, Oliver Eikemeier wrote:
> Jacques doens't seem to like this: "Aaaaaahh!".
:-)
> I don't really care
> ident(1) is fine for me, and it seems like this is the only reliable
> indication. OTOH you'll need a couple of references (file, list of
> FreeBSD versions). Doable, so when no other ideas pop up we should do
> this.
I don't think ident information is all that useful, and I *know*
that it is a PITA to maintain. I instituted the current practice
of including revision numbers in FreeBSD Security Advisories. I
thought it was a good idea at the time :-) But in fact, it is one
of the most time-consuming parts of producing a FreeBSD SA. From
the correspondance I've received over the last few years, I'm quite
certain that no one really uses them. Those who *do* use them are
users who are quite capable of accurately determining the revisions on
their own. In addition, the revisions are often quite misleading. Some
examples are:
* Some revisions just aren't important from the perspective of the
security fix. src/UPDATING is an obvious case :-) but there are
less obvious cases, such as result from a merge.
* Often the revision numbers are not available in the resulting binary.
* Patches are most often produced *without* the revision number
changes, since these changes tend to get in the way of tools such
as patch(1). Thus, patched systems have "old" revision numbers.
The only practical way to specify affected versions of the system
is with a patch level as we've done for years. e.g. 4.8-RELEASE-p9
is unaffected, all those before are not. This is analogous to the
situation with ports... we use the package version number, not the
revision numbers of the Makefile and associated ports skeleton files,
nor the revision numbers of the original source files or anything
silly like that. We use the administratively maintained package
number with PORTEPOCH, PORTREVISION and such.
re@ and so@ actually had a long (unfortunately incomplete) thread
about this kind of thing. We'd like to be able to decouple the system
version number from the kernel build, but there are lots of details. I
guess we should revisit this soon, as this becomes IMHO more important
with the advent of errata branches. (I expect more patch releases.)
Cheers,
--
Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040822194025.GB17478>