DragonFly kernel List (threaded) for 2006-02
Re: pkgsrc packaging of base?
Erik P. Skaalerud <erik@xxxxxxxxxxxx> wrote:
> Oliver Fromme wrote:
> > > It makes it work well right up until gzip or some other program ends
> > > up with a security hole, and then you have to either manually patch it
> > Which is usually very easy.
> > > (having no way to verify later if it was patched other than 'md5')
> > The patches should increase the RCS/CVS ID, so you can use
> > ident(1) on the binary.
> > > or upgrade the entire OS to -STABLE.
> > Which is usually quite easy, too.
> > There's a third possibility: Download a patched binary.
> > Same effect as manually patching and compiling it, but
> > some people might prefer not to do that themselves.
> > > Without packaging up the base system, updating a small amount of
> > > servers (100 or so) becomes a very difficult task
> > Uhm, I've done that in the past (FreeBSD). It's not
> > difficult at all, provided that the server farm has
> > been designed and set up in a reasonable way (with
> > updating in mind, right from the beginning).
> Oliver, You have to put yourself in the new user's shoes. It's not easy
> at all to manually patch sourcecode and rebuild the appropriate binaries
> and libraries.
It _is_ easy. The FreeBSD Security Advisories contain
detailed step-by-step instruction. In fact you can
copy&paste the commands from the advisories. Let me
quote from a random advisory (SA-06:01):
====== begin quote ======
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 4.x and 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch.asc
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/texinfo/libtxi
# make obj && make depend && make
# cd /usr/src/gnu/usr.bin/texinfo/texindex
# make obj && make depend && make && make install
====== end quote ======
So what exactly is so difficult about that? Well, of
course it could be automated even further, by providing
a tool which automatically looks an advisory, then
downloads any patches, applies them etc., so the user
doesn't have to copy&paste "strange looking commands".
But that's just a detail, it doesn't change the way it
> I am one of those who like the idea of being able to have a system
> running without the sourcecode on the disk.
I have small systems without sources, too. I usually
update them by first updating another machine with
sources, then copy the binaries over to the source-less
Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.