Erik P. Skaalerud <[EMAIL PROTECTED]> wrote: > Oliver Fromme wrote: > > > It makes it work well right up until gzip or some other program ends > > > up with a security hole, and then you have to either manually patch it > > > > Which is usually very easy. > > > > > (having no way to verify later if it was patched other than 'md5') > > > > The patches should increase the RCS/CVS ID, so you can use > > ident(1) on the binary. > > > > > or upgrade the entire OS to -STABLE. > > > > Which is usually quite easy, too. > > > > There's a third possibility: Download a patched binary. > > Same effect as manually patching and compiling it, but > > some people might prefer not to do that themselves. > > > > > Without packaging up the base system, updating a small amount of > > > servers (100 or so) becomes a very difficult task > > > > Uhm, I've done that in the past (FreeBSD). It's not > > difficult at all, provided that the server farm has > > been designed and set up in a reasonable way (with > > updating in mind, right from the beginning). > > Oliver, You have to put yourself in the new user's shoes. It's not easy > at all to manually patch sourcecode and rebuild the appropriate binaries > and libraries.
It _is_ easy. The FreeBSD Security Advisories contain detailed step-by-step instruction. In fact you can copy&paste the commands from the advisories. Let me quote from a random advisory (SA-06:01): ====== begin quote ====== a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x and 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex5x.patch.asc [FreeBSD 6.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:01/texindex.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/texinfo/libtxi # make obj && make depend && make # cd /usr/src/gnu/usr.bin/texinfo/texindex # make obj && make depend && make && make install ====== end quote ====== So what exactly is so difficult about that? Well, of course it could be automated even further, by providing a tool which automatically looks an advisory, then downloads any patches, applies them etc., so the user doesn't have to copy&paste "strange looking commands". But that's just a detail, it doesn't change the way it works. > I am one of those who like the idea of being able to have a system > running without the sourcecode on the disk. I have small systems without sources, too. I usually update them by first updating another machine with sources, then copy the binaries over to the source-less machine. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way.
