You around tomorrow? Paul
-----Original Message----- From: Tim Mooney [mailto:tim.moo...@ndsu.edu] Sent: 07 December 2015 15:28 To: Discussion list for OpenIndiana Subject: Re: [OpenIndiana-discuss] OI roadmap (for production) In regard to: Re: [OpenIndiana-discuss] OI roadmap (for production), Stefan...: > first of all, don't get me wrong. It wasn't the difference in security > fix frequency that I called a good point but the relevance of it. I > sure would not insult those keeping my favorite server OS alive! And > great to hear that the security alerts / CVEs are being patched on a > regular basis. > > As so often, this simply might be a matter of missing information. Is > there a CVE patch log? The current release notes under > http://wiki.openindiana.org/oi/Release+Notes don't seem to list any. Yes, that's more my fault than Stefan's. Stefan was responding to my comment. I'm happy to see posts from both Alexander and Jim indicating that security issues are being addressed. Based solely on posts to the list and page updates in the wiki, it's obvious that you two do a lot related to OI; it just wasn't clear to me that /dev was getting much attention (I know /hipster is the focus). What would help me (and hopefully others) is if there were documentation on how we can verify whether an OI /dev package includes a particular patch. Does that documentation exist? Part of the issue is that if I run the software update utility or pkg update and there haven't been any package updates in months, it's hard to know whether a particular vulnerability has been patched. At least on Linux, it's very easy to go back to the vendor package source and check to see if a particular patch is included. Take libpng for example. The latest OI /dev ships is 1.4.12. Everything before 1.4.17 is vulnerable to CVE-2015-7981 and CVE-2015-8126. Let's say that I had just installed a8 today and then updated to a9, so I didn't know whether libpng had been patched or not. How would I check? First I have to figure out if libpng is part of illumos or whether it's part of OI. How do I determine that? Check https://github.com/illumos/illumos-gate and see if it's there, and then check https://github.com/illumos/illumos-userland and if it's not listed in either, than it's OI? Is that the best way to tell? Once I figure out if a particular component comes from illumos or is specific to OI /dev, what then? Check to see if there's a patch committed to -gate, -userland, or the OI equivalent? I'm trying to find a way to verify component security that doesn't rely on more work from the few people that are already doing the security work, but it's not clear what a good method is to perform that verification. Tim -- Tim Mooney tim.moo...@ndsu.edu Enterprise Computing & Infrastructure 701-231-1076 (Voice) Room 242-J6, Quentin Burdick Building 701-231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss