In regard to: Re: [OpenIndiana-discuss] OI roadmap (for production),...:
What would help me (and hopefully others) is if there were documentation
on how we can verify whether an OI /dev package includes a particular
patch. Does that documentation exist?
For /hipster to check if particular package contains necessary fix, you should
look at particular component
at https://github.com/OpenIndiana/oi-userland/tree/oi/hipster/components .
For /dev it's more complicated, as source code lives in several different
repositories,
most of them could be found here -
https://hg.openindiana.org/sustaining/oi_151a/
Thanks, that information is very helpful.
First I have to figure out if libpng is part of illumos or whether it's
part of OI. How do I determine that?
On OI Hipster the easiest way is to check package attributes. If pkg contents
-m PACKAGE shows
illumos-gate.info* attributes, it's a part of illumos-gate, if it shows
userland.info.* (and not illumos-gate.info*), it's part of oi-userland
or some other build system, linked to oi-userland, like slim_source),
otherwise it wasn't rebuilt since OI /dev.
Ok, that's a big help, at least for hipster. I had wondered if there
was a way to find the package provenance using the pkg command, but
couldn't find anything with the attempts I made. Of course, I'm on
/dev, not hipster, so it looks like 'pkg contents -m' won't necessarily
help me figure out what "upstream" is for the package.
https://github.com/illumos/illumos-gate
and see if it's there, and then check
https://github.com/illumos/illumos-userland
illumos-userland is dead. OI Hipster code lives under
https://github.com/OpenIndiana/oi-userland/.
You're talking about hipster, but my original post in this thread
was specifically about /dev.
https://github.com/OpenIndiana/oi-userland/illumos-gate was expected to
become base of new /dev.
Once I figure out if a particular component comes from illumos or is
specific to OI /dev, what then? Check to see if there's a patch committed
to -gate, -userland, or the OI equivalent?
I'm trying to find a way to verify component security that doesn't rely
on more work from the few people that are already doing the security work,
but it's not clear what a good method is to perform that verification.
It would be interesting to see such analysis, but I don't think it's possible
to fully automate this task.
Probably not. That's more ambitious than I was trying to be; even being
able to manually follow a trail to determine whether security issues
have been addressed is better than having no idea, though.
I'd look at package versions. If they less, then upstream versions,
containing fix, I'd look at oi-userland component or illumos-gate
changelog for affected code.
But oi-userland is for hipster, not /dev, so I'm still left trying to find
where "upstream" is and whether or not it includes a particular patch
for some security issue.
Tim
--
Tim Mooney [email protected]
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
_______________________________________________
openindiana-discuss mailing list
[email protected]
http://openindiana.org/mailman/listinfo/openindiana-discuss
