Re: [OpenIndiana-discuss] p7zip

2016-12-08 Thread Alexander Pyhalov 

On 12/ 9/16 09:07 AM, Jim Klimov wrote:


On another hand, is there a particular benefit of patching older versions in 
userland as cve fixes come out, rather than taking the newest release (assumed 
to include all bugfixes known to authors)?


It depends. When fix lands to new major release, it's worth patching.
We don't want to do major updates just to fix security issues.
They usually contain not only new features, but also new bugs.
Or can just break API/ABI.
--
Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] p7zip

2016-12-08 Thread Jim Klimov 
8 декабря 2016 г. 23:19:02 CET, Alexander Pyhalov  пишет:
>Tim Mooney писал 08.12.2016 22:05:
>> In regard to: Re: [OpenIndiana-discuss] p7zip, Alexander Pyhalov said
>
>> (at...:
>> 
>>> Jim Klimov писал 04.12.2016 20:11:
 4 декабря 2016 г. 16:16:57 CET, cpforum  пишет:
> Hi,
> 
> It seems that CVE-2016-9296 (2016111) affect p7zip Hipster release
> (15.14.1-2016.0.0.3)
>>> 
>>> Hi. Yes, we missed this fix. I've just committed it.
>>> Unfortunately, pkg info is quite useless in determining, which 
>>> security fixes are applied to the package.
>> 
>> Yeah, we talked about that issue last year around this time.  This
>> post from Peter is from the middle of the long thread, but it
>captures
>> one of the most interesting ideas:
>> 
>>
>   
> https://openindiana.org/pipermail/openindiana-discuss/2015-December/018370.html
>
>Hi.
>Yes, the idea is really interesting.
>But there are many small issues to be solved.
>
>For example, I bump package version. A month later I found out that
>this 
>updated version fixed some vulnerability. Should I update security 
>metadata package?
>What about CVE, which we miss? I mean, one should constantly monitor 
>security lists for new issues. What about old CVEs?
>So, absence of CVE metadata in this new security package will likely 
>mean 'unknown', not 'vulnerable'.
>Another, more technical issue is that we sometimes can wrongly predict 
>published package version. So, should we fix such wrongly added 
>metadata?
>If we fix it, will two facts appear in the security metadata package?
>So, before implementing something similar we should analyze all pros
>and 
>cons for a while.
>
>Another question is if we should collect this metadata in one dedicated
>
>package or in package which fixed the issue? I think separate package
>is 
>better as this allows us to mark CVEs to be fixed-in-past.
>
>Should it be IPS metadata at all? Perhaps, it could be just RSS 
>extracted from some git tags?
>
>
>---
>System Administrator of Southern Federal University Computer Center
>
>
>___
>openindiana-discuss mailing list
>openindiana-discuss@openindiana.org
>https://openindiana.org/mailman/listinfo/openindiana-discuss

On another hand, is there a particular benefit of patching older versions in 
userland as cve fixes come out, rather than taking the newest release (assumed 
to include all bugfixes known to authors)?

Jim
--
Typos courtesy of K-9 Mail on my Samsung Android

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

[OpenIndiana-discuss] Updates stopped again at the Openindiana wiki

2016-12-08 Thread Gary Mills 
It's now been a month since this page:

https://wiki.openindiana.org/oi/Recent+Wiki+Changes

has changed.  Is updating broken again?


-- 
-Gary Mills--refurb--Winnipeg, Manitoba, Canada-

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] p7zip

2016-12-08 Thread Alexander Pyhalov 

Tim Mooney писал 08.12.2016 22:05:
In regard to: Re: [OpenIndiana-discuss] p7zip, Alexander Pyhalov said 
(at...:



Jim Klimov писал 04.12.2016 20:11:

4 декабря 2016 г. 16:16:57 CET, cpforum  пишет:

Hi,

It seems that CVE-2016-9296 (2016111) affect p7zip Hipster release
(15.14.1-2016.0.0.3)


Hi. Yes, we missed this fix. I've just committed it.
Unfortunately, pkg info is quite useless in determining, which 
security fixes are applied to the package.


Yeah, we talked about that issue last year around this time.  This
post from Peter is from the middle of the long thread, but it captures
one of the most interesting ideas:


https://openindiana.org/pipermail/openindiana-discuss/2015-December/018370.html


Hi.
Yes, the idea is really interesting.
But there are many small issues to be solved.

For example, I bump package version. A month later I found out that this 
updated version fixed some vulnerability. Should I update security 
metadata package?
What about CVE, which we miss? I mean, one should constantly monitor 
security lists for new issues. What about old CVEs?
So, absence of CVE metadata in this new security package will likely 
mean 'unknown', not 'vulnerable'.
Another, more technical issue is that we sometimes can wrongly predict 
published package version. So, should we fix such wrongly added 
metadata?

If we fix it, will two facts appear in the security metadata package?
So, before implementing something similar we should analyze all pros and 
cons for a while.


Another question is if we should collect this metadata in one dedicated 
package or in package which fixed the issue? I think separate package is 
better as this allows us to mark CVEs to be fixed-in-past.


Should it be IPS metadata at all? Perhaps, it could be just RSS 
extracted from some git tags?



---
System Administrator of Southern Federal University Computer Center


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] p7zip

2016-12-08 Thread Tim Mooney 

In regard to: Re: [OpenIndiana-discuss] p7zip, Alexander Pyhalov said (at...:


Jim Klimov писал 04.12.2016 20:11:

4 декабря 2016 г. 16:16:57 CET, cpforum  пишет:

Hi,

It seems that CVE-2016-9296 (2016111) affect p7zip Hipster release
(15.14.1-2016.0.0.3)


Hi. Yes, we missed this fix. I've just committed it.
Unfortunately, pkg info is quite useless in determining, which security fixes 
are applied to the package.


Yeah, we talked about that issue last year around this time.  This
post from Peter is from the middle of the long thread, but it captures
one of the most interesting ideas:


https://openindiana.org/pipermail/openindiana-discuss/2015-December/018370.html

Tim
--
Tim Mooney tim.moo...@ndsu.edu
Enterprise Computing & Infrastructure  701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building  701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Problem with Hipster 2016.10 GUI on ESXi 6.5

2016-12-08 Thread Till Wegmüller 

Hi Guenther


What Happens when you use a ESXi 6.0 with HTML5 GUI ?

Is the Vsphere Client Really not usable anymore with 6.5? ESX Usually 
has Backwards compatibility. Even if not supported.


It could be that the VMware Tools need an Update. Have you tried to 
install vmware tools on the Guest via Text Console?


You say that the First installation Step worked. Was Mouse Freezing 
after a while or was the whole Screen Freezing?



Greetings

Till

Am 08.12.2016 um 12:59 schrieb Guenther Alka:
I wanted to install Hipster 2016.10 GUI on the new ESXi 6.5 free where 
the new local html-5 webconsole is the only management option. The old 
Windows vsphere client is no longer supported. First setup setup step 
was ok but I was not able to get a working mouse so installation from 
the GUI was not possible.


No problem when using an older ESXi 6.0 with Windows Vsphere or using 
a text edition.


Gea

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

[OpenIndiana-discuss] Problem with Hipster 2016.10 GUI on ESXi 6.5

2016-12-08 Thread Guenther Alka 
I wanted to install Hipster 2016.10 GUI on the new ESXi 6.5 free where 
the new local html-5 webconsole is the only management option. The old 
Windows vsphere client is no longer supported. First setup setup step 
was ok but I was not able to get a working mouse so installation from 
the GUI was not possible.


No problem when using an older ESXi 6.0 with Windows Vsphere or using a 
text edition.


Gea

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss