On Mon, 7 Dec 2015, Tim Mooney wrote:
What would help me (and hopefully others) is if there were documentation on how we can verify whether an OI /dev package includes a particular patch. Does that documentation exist? Part of the issue is that if I run the software update utility or pkg update and there haven't been any package updates in months, it's hard to know whether a particular vulnerability has been patched. At least on Linux, it's very easy to go back to the vendor package source and check to see if a particular patch is included. Take libpng for example. The latest OI /dev ships is 1.4.12. Everything before 1.4.17 is vulnerable to CVE-2015-7981 and CVE-2015-8126. Let's say that I had just installed a8 today and then updated to a9, so I didn't know whether libpng had been patched or not. How would I check?
Given the development model of OpenIndiana, I think that it is much more likely that the software version is updated based on a formal upstream release rather than a security issue being fixed via a patch. Only really extreme security issues or well-known issues in valuable unmaintained projects are likely to be fixed via a patch.
OpenIndiana is not going to be prepared any time soon to provide security fixes in the way that Red Hat or Debian are able to provide.
Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/ _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
