Hello.
Tim Mooney писал 07.12.2015 18:27:
In regard to: Re: [OpenIndiana-discuss] OI roadmap (for production),
Stefan...:
first of all, don't get me wrong. It wasn't the difference in security
fix frequency that I called a good point but the relevance of it. I
sure
would not insult those keeping my favorite server OS alive! And great
to
hear that the security alerts / CVEs are being patched on a regular
basis.
As so often, this simply might be a matter of missing information. Is
there a CVE patch log? The current release notes under
http://wiki.openindiana.org/oi/Release+Notes don't seem to list any.
Based solely on posts to the list and page updates in the wiki, it's
obvious that you two do a lot related to OI; it just wasn't clear to
me that /dev was getting much attention (I know /hipster is the focus).
That's not true. The last fix which appeared in /dev was bash
shellshock.
Hipster receives more attention (but much less then needed).
What would help me (and hopefully others) is if there were
documentation
on how we can verify whether an OI /dev package includes a particular
patch. Does that documentation exist?
For /hipster to check if particular package contains necessary fix, you
should look at particular component
at https://github.com/OpenIndiana/oi-userland/tree/oi/hipster/components
.
For /dev it's more complicated, as source code lives in several
different repositories,
most of them could be found here -
https://hg.openindiana.org/sustaining/oi_151a/
Take libpng for example. The latest OI /dev ships is 1.4.12.
Everything
before 1.4.17 is vulnerable to CVE-2015-7981 and CVE-2015-8126. Let's
say that I had just installed a8 today and then updated to a9, so I
didn't
know whether libpng had been patched or not. How would I check?
It wasn't patched in /dev. In /hipster we ship 1.4.17.
First I have to figure out if libpng is part of illumos or whether it's
part of OI. How do I determine that?
On OI Hipster the easiest way is to check package attributes. If pkg
contents -m PACKAGE shows
illumos-gate.info* attributes, it's a part of illumos-gate, if it shows
userland.info.* (and not illumos-gate.info*), it's part of oi-userland
or some other build system, linked to oi-userland, like slim_source),
otherwise it wasn't rebuilt since OI /dev.
Check
https://github.com/illumos/illumos-gate
and see if it's there, and then check
https://github.com/illumos/illumos-userland
illumos-userland is dead. OI Hipster code lives under
https://github.com/OpenIndiana/oi-userland/.
https://github.com/OpenIndiana/oi-userland/illumos-gate was expected to
become base of new /dev.
Once I figure out if a particular component comes from illumos or is
specific to OI /dev, what then? Check to see if there's a patch
committed
to -gate, -userland, or the OI equivalent?
I'm trying to find a way to verify component security that doesn't rely
on more work from the few people that are already doing the security
work,
but it's not clear what a good method is to perform that verification.
It would be interesting to see such analysis, but I don't think it's
possible to fully automate this task.
I'd look at package versions. If they less, then upstream versions,
containing fix, I'd look at oi-userland component or illumos-gate
changelog for affected code.
---
System Administrator of Southern Federal University Computer Center
_______________________________________________
openindiana-discuss mailing list
[email protected]
http://openindiana.org/mailman/listinfo/openindiana-discuss
