7 декабря 2015 г. 17:24:31 CET, Paul Johnston <paul.johns...@manchester.ac.uk> пишет: >You around tomorrow? > >Paul > >-----Original Message----- >From: Tim Mooney [mailto:tim.moo...@ndsu.edu] >Sent: 07 December 2015 15:28 >To: Discussion list for OpenIndiana >Subject: Re: [OpenIndiana-discuss] OI roadmap (for production) > >In regard to: Re: [OpenIndiana-discuss] OI roadmap (for production), >Stefan...: > >> first of all, don't get me wrong. It wasn't the difference in >security >> fix frequency that I called a good point but the relevance of it. I >> sure would not insult those keeping my favorite server OS alive! And >> great to hear that the security alerts / CVEs are being patched on a >> regular basis. >> >> As so often, this simply might be a matter of missing information. Is > >> there a CVE patch log? The current release notes under >> http://wiki.openindiana.org/oi/Release+Notes don't seem to list any. > >Yes, that's more my fault than Stefan's. Stefan was responding to my >comment. > >I'm happy to see posts from both Alexander and Jim indicating that >security issues are being addressed. > >Based solely on posts to the list and page updates in the wiki, it's >obvious that you two do a lot related to OI; it just wasn't clear to me >that /dev was getting much attention (I know /hipster is the focus). > >What would help me (and hopefully others) is if there were >documentation on how we can verify whether an OI /dev package includes >a particular patch. Does that documentation exist? > >Part of the issue is that if I run the software update utility or pkg >update and there haven't been any package updates in months, it's hard >to know whether a particular vulnerability has been patched. At least >on Linux, it's very easy to go back to the vendor package source and >check to see if a particular patch is included. > >Take libpng for example. The latest OI /dev ships is 1.4.12. >Everything before 1.4.17 is vulnerable to CVE-2015-7981 and >CVE-2015-8126. Let's say that I had just installed a8 today and then >updated to a9, so I didn't know whether libpng had been patched or not. > How would I check? > >First I have to figure out if libpng is part of illumos or whether it's >part of OI. How do I determine that? Check > > https://github.com/illumos/illumos-gate > >and see if it's there, and then check > > https://github.com/illumos/illumos-userland > >and if it's not listed in either, than it's OI? Is that the best way >to tell? > >Once I figure out if a particular component comes from illumos or is >specific to OI /dev, what then? Check to see if there's a patch >committed to -gate, -userland, or the OI equivalent? > >I'm trying to find a way to verify component security that doesn't rely >on more work from the few people that are already doing the security >work, but it's not clear what a good method is to perform that >verification. > >Tim
Might it make sense to use some pkg(5) metadata to list the cve's known covered by a particular release+patch recipe used in the build? I know i'd quickly stop maintaining such data though, but there may be even pedantical people than mysekf out there ;) And for a commercialized or otherwise paid effort, someone could be doing this sysiphus task. Anyhow, someone has to revise if a cve applies to our code and write down the inspection results somewhere - might as well accompany the relevant code snapshot. reminds me sort of like sun's patch readmes with lists of changelogs and bugids and errata... -- Typos courtesy of K-9 Mail on my Samsung Android _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
