pkgsrc packaging of base?

Oliver Fromme check+iuh6ew00rs29fank at fromme.com
Fri Feb 10 06:31:46 PST 2006 

Erik P. Skaalerud <erik at xxxxxxxxxxxx> wrote:
 > Oliver Fromme wrote:
 > >  > It makes it work well right up until gzip or some other program ends
 > >  > up with a security hole, and then you have to either manually patch it
 > > 
 > > Which is usually very easy.
 > > 
 > >  > (having no way to verify later if it was patched other than 'md5')
 > > 
 > > The patches should increase the RCS/CVS ID, so you can use
 > > ident(1) on the binary.
 > > 
 > >  > or upgrade the entire OS to -STABLE.
 > > 
 > > Which is usually quite easy, too.
 > > 
 > > There's a third possibility:  Download a patched binary.
 > > Same effect as manually patching and compiling it, but
 > > some people might prefer not to do that themselves.
 > > 
 > >  > Without packaging up the base system, updating a small amount of
 > >  > servers (100 or so) becomes a very difficult task
 > > 
 > > Uhm, I've done that in the past (FreeBSD).  It's not
 > > difficult at all, provided that the server farm has
 > > been designed and set up in a reasonable way (with
 > > updating in mind, right from the beginning).
 > 
 > Oliver, You have to put yourself in the new user's shoes. It's not easy 
 > at all to manually patch sourcecode and rebuild the appropriate binaries 
 > and libraries.

It _is_ easy.  The FreeBSD Security Advisories contain
detailed step-by-step instruction.  In fact you can
copy&paste the commands from the advisories.  Let me
quote from a random advisory (SA-06:01):

====== begin quote ======
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x and 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch.asc

[FreeBSD 6.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/texinfo/libtxi
# make obj && make depend && make
# cd /usr/src/gnu/usr.bin/texinfo/texindex
# make obj && make depend && make && make install
====== end quote ======

So what exactly is so difficult about that?  Well, of
course it could be automated even further, by providing
a tool which automatically looks an advisory, then
downloads any patches, applies them etc., so the user
doesn't have to copy&paste "strange looking commands".
But that's just a detail, it doesn't change the way it
works.

 > I am one of those who like the idea of being able to have a system 
 > running without the sourcecode on the disk.

I have small systems without sources, too.  I usually
update them by first updating another machine with
sources, then copy the binaries over to the source-less
machine.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd

Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

More information about the Kernel mailing list