On Thu, Jun 09, 2005, Michael Schloh von Bennewitz wrote:
> The bootstrap package must be corrected to stop a medium grade security
> flaw (CAN-2005-1228). In the bootstrap package, patch(1) is built after
> gzip(1). The problem lies in the source gzip.c, which must be corrected
> with patch(1). How would you the architect, like the solution to be?
>
> 1 OpenPKG dependency to patch(1). (complicated for slim systems)
Not possible at all. The "openpkg" package cannot have any dependencies
as it is the root in the dependency chain because of bootstrapping
reasons.
> 2 Build gzip(1) twice when bootstrapping. (costs 30 seconds more)
Hmmm... how should this be done? Is the security flaw in gzip not
a run-time problem? How should building it twice work? What if the
security issue is already exploited between the first and the second
build?
> 3 Embed the entire corrected 54Kb gzip.c. (increases maintenance)
This would be the best approach for the 2.2 and 2.3 "openpkg" packages
IMHO. Go for this option, please.
> All of these choices are bad, but one is less bad. You can offer a
> choice #4 or state your preference. Otherwise, #2 will be implemented.
I still do not see how #2 solves the problem and at the same time
doesn't introduce a security problem.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
The OpenPKG Project www.openpkg.org
Developer Communication List openpkg-dev@openpkg.org
