Re: pkgsrc packaging of base?

[Oliver Fromme <check+iuh6ew00rs29fank@xxxxxxxxxx>]

Erik P. Skaalerud <erik@xxxxxxxxxxxx> wrote:
 > Oliver Fromme wrote:
 > >  > It makes it work well right up until gzip or some other program ends
 > >  > up with a security hole, and then you have to either manually patch it
 > > 
 > > Which is usually very easy.
 > > 
 > >  > (having no way to verify later if it was patched other than 'md5')
 > > 
 > > The patches should increase the RCS/CVS ID, so you can use
 > > ident(1) on the binary.
 > > 
 > >  > or upgrade the entire OS to -STABLE.
 > > 
 > > Which is usually quite easy, too.
 > > 
 > > There's a third possibility:  Download a patched binary.
 > > Same effect as manually patching and compiling it, but
 > > some people might prefer not to do that themselves.
 > > 
 > >  > Without packaging up the base system, updating a small amount of
 > >  > servers (100 or so) becomes a very difficult task
 > > 
 > > Uhm, I've done that in the past (FreeBSD).  It's not
 > > difficult at all, provided that the server farm has
 > > been designed and set up in a reasonable way (with
 > > updating in mind, right from the beginning).
 > 
 > Oliver, You have to put yourself in the new user's shoes. It's not easy 
 > at all to manually patch sourcecode and rebuild the appropriate binaries 
 > and libraries.

It _is_ easy.  The FreeBSD Security Advisories contain
detailed step-by-step instruction.  In fact you can
copy&paste the commands from the advisories.  Let me
quote from a random advisory (SA-06:01):

====== begin quote ======
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.x and 5.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch.asc

[FreeBSD 6.x]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/texinfo/libtxi
# make obj && make depend && make
# cd /usr/src/gnu/usr.bin/texinfo/texindex
# make obj && make depend && make && make install
====== end quote ======

So what exactly is so difficult about that?  Well, of
course it could be automated even further, by providing
a tool which automatically looks an advisory, then
downloads any patches, applies them etc., so the user
doesn't have to copy&paste "strange looking commands".
But that's just a detail, it doesn't change the way it
works.

 > I am one of those who like the idea of being able to have a system 
 > running without the sourcecode on the disk.

I have small systems without sources, too.  I usually
update them by first updating another machine with
sources, then copy the binaries over to the source-less
machine.

Best regards
   Oliver

-- 
Oliver Fromme,  secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing
Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd

Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.