Re: ports security branch
Imagine: Foo 1.2.3 that was current at the time of FreeBSD 6.0 release gets a severe vuln after some time. Some admins upgrade to the latest and greatest Foo 1.2.9, others to Foo 1.2.7 (probably with not recently updated ports tree)... If 1.2.7 is secure, there is no problem. If 1.2.7 is not, portaudit will not let you upgrade. It seems to me, you need to farmiliarize yourself first with the mechanisms in place already, before shooting it. Scrolling a couple of pages backwards, you suddenly realize that it was I who first mentioned the role of portaudit in maintaining the security info in this thread. Nevermind. There _might_ be a problem if one always upgrades to a newer release, this way or another, right on the production machine. The whole point of security updates is making users' lives easier. You upgrade, you want the software-OS bundle to behave, feel and touch _exactly_ the same way it did before. Once again, FreeBSD already _does_ that to the base system. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security branch
Quoth rihad on Tue, Dec 20, 2005 at 10:25:59 +0400
Is there a security branch for the FreeBSD ports collection? Let's say,
I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages
(i.e., those on the CD). Running security/portaudit after a while
reveals that some of the installed packages have vulnerabilities. Am I
on my own to go grab the fresh ports tree, and upgrade the affected
software, suffering all the intricacies of the move by myself? Debian
GNU/Linux has its security package updates, OpenBSD has a separately
maintained errata ports branch (it's very likely you still get to
download a newer release of the software, though).
Attached is a script I use to update my machines. It works fine but
you need to understand what it does and not run it blindly. DO NOT put
that in cron, there lies pain!
Otherwise, just run the script and it will update all your ports for
you. It'll even mail you with the updated ports.
--
[EMAIL PROTECTED] -=*=- www.kierun.org
PGP: 009D 7287 C4A7 FD4F 1680 06E4 F751 7006 9DE2 6318
#!/bin/sh
# portupgrade script.
### variables.
day=`date +%d`
month=`date +%b`
year=`date +%Y`
host=`uname -n`
tmp=.upgrade.tmp
### Does what it does...
#/usr/local/bin/cvsup -g -L 2 /usr/ports/CVSUP
make update
make fetchindex
less /usr/ports/UPDATING
echo 'Do you want to update the port tree? [yn]?'
read -p '[y]es or [n]o: ' -e val
case ${val} in
[yY])
echo 'Updating the port collection now!!!...'
;;
[nN])
echo 'Aborting NOW!!!...'
exit;
;;
*)
echo 'What the hell?... I am aborting now.'
exit;
;;
esac
#/usr/local/sbin/portsdb -Uu
/usr/local/sbin/pkgdb -F
/usr/bin/tar ycf /var/db/$year-$month-$day-pkg.tbz2 /var/db/pkg
/usr/local/sbin/portupgrade -C -u -v -r -R -a -l /usr/ports/LATEST.update
/usr/local/sbin/portaudit -Fad $tmp
echo '' $tmp
cat /usr/ports/LATEST.update | sort $tmp
cat $tmp | mail -s Portupdate $host on $day $month $year [EMAIL PROTECTED]
/usr/local/sbin/portsclean -C -L -P -D
/usr/home/yann/bin/aide.sh
### reporting.
echo ''
echo 'This is what has been updated today:'
/usr/bin/grep -v '^\-' /usr/ports/LATEST.update | sort
echo ''
exit
pgp0i8lbuChHX.pgp
Description: PGP signature
Re: ports security branch
Yann Golanski wrote: Quoth rihad on Tue, Dec 20, 2005 at 10:25:59 +0400 Is there a security branch for the FreeBSD ports collection? Let's say, I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages (i.e., those on the CD). Running security/portaudit after a while reveals that some of the installed packages have vulnerabilities. Am I on my own to go grab the fresh ports tree, and upgrade the affected software, suffering all the intricacies of the move by myself? Debian GNU/Linux has its security package updates, OpenBSD has a separately maintained errata ports branch (it's very likely you still get to download a newer release of the software, though). Attached is a script I use to update my machines. It works fine but you need to understand what it does and not run it blindly. DO NOT put that in cron, there lies pain! Otherwise, just run the script and it will update all your ports for you. It'll even mail you with the updated ports. [script snipped] A very interesting script for its own purpose, but I'm afraid this doesn't answer my question at all. Perhaps seeing the way that e.g. Debian deals with the upgrade problem might shed some light on the issue. Hell, FreeBSD does exactly that for the base world+kernel, too! Not for the ports, though. ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security branch
Quoth rihad on Tue, Dec 20, 2005 at 14:18:13 +0400 A very interesting script for its own purpose, but I'm afraid this doesn't answer my question at all. Perhaps seeing the way that e.g. Debian deals with the upgrade problem might shed some light on the issue. Hell, FreeBSD does exactly that for the base world+kernel, too! Not for the ports, though. As far as I know, the way to keep up to date with ports is to follow the procedure: portaudit -Fad if no_problems then quit else cd /usr/ports make update portupgrade port1 port2 port3 (...) If you want to do that automatically, put my script (or a similar one) into cron but that way lies pain. You've been warned. -- [EMAIL PROTECTED] -=*=- www.kierun.org PGP: 009D 7287 C4A7 FD4F 1680 06E4 F751 7006 9DE2 6318 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security branch
On Tuesday 20 December 2005 11:18, rihad wrote: Yann Golanski wrote: Quoth rihad on Tue, Dec 20, 2005 at 10:25:59 +0400 Is there a security branch for the FreeBSD ports collection? Let's say, I installed FreeBSD 6.0 together with all needed -RELEASE ports/packages (i.e., those on the CD). Running security/portaudit after a while reveals that some of the installed packages have vulnerabilities. Am I on my own to go grab the fresh ports tree, and upgrade the affected software, suffering all the intricacies of the move by myself? Debian GNU/Linux has its security package updates, OpenBSD has a separately maintained errata ports branch (it's very likely you still get to download a newer release of the software, though). Attached is a script I use to update my machines. It works fine but you need to understand what it does and not run it blindly. DO NOT put that in cron, there lies pain! Otherwise, just run the script and it will update all your ports for you. It'll even mail you with the updated ports. [script snipped] A very interesting script for its own purpose, but I'm afraid this doesn't answer my question at all. FreeBSD accepts limited responsibility for what is in /usr/ports. Maintaining security is not one of them. Perhaps seeing the way that e.g. Debian deals with the upgrade problem might shed some light on the issue. Hell, FreeBSD does exactly that for the base world+kernel, too! Not for the ports, though. See above. Instead of focusing on the method, focus on the end-goal: you want security updates on your ports and the script posted attempts to provide that. I had one that was safe to run in cron (in fact it ran in periodic/daily), but uses a cvs tree of ports, not cvsup to save time[1]. I lost it with a disk crash, but was going to recreate it anyway, might as well do it now if people are interested. [1] cvsup allthough faster on the entire tree cannot update a single directory. -- Melvyn Sopacua [EMAIL PROTECTED] FreeBSD 6.0-STABLE Qt: 3.3.5 KDE: 3.4.3 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security branch
On Tue, Dec 20, 2005 at 02:18:13PM +0400, rihad wrote: A very interesting script for its own purpose, but I'm afraid this doesn't answer my question at all. Perhaps seeing the way that e.g. Debian deals with the upgrade problem might shed some light on the issue. Hell, FreeBSD does exactly that for the base world+kernel, too! Not for the ports, though. That's a much more complex problem. IMHO, there's at least two kinds of ports : end-user apps and their related libs and services/system related tools. Security issues mostly appear in the second kind, the problem is that the dependancies tree is too connex, some libs are needed by both kinds (just think to libs like ssl, gettext or expat ... ) Relying on the maintainer work is a good starting point, you may trust him for doing only the needed updates for those ports that requier security concerns. But even here, major updates of widely used libs imply rebuild of most of the ports, even when no security issue arises. The debian way is too have a frozen tree and restraint updates, this induces at least a two level maintaining, one that follows on-the-edge updates and the other that only follow security updates. The problem is that most applications don't work like that, they don't maintain two branches, and thus you need (or the maintainer of the ports needs) to maintain a bunch of security patches for that app that doesn't have any dependance links (or at least only to other security updates ... ) This is a lot of work, and IMHO that's why debian stable is so often outdated (and some time completely obsolete.) This also raises questions like when should we move to the next/last release ?, Is that patch-set too important ? ... My own experience shows me that most of the time when you only need security updates, that means that your boxe is specialized in some way with a small set of installed ports and thus every updates in the tree for those ports are relevant. Otherwise, you may want to have up to date ports because it's providing you with shiny new features ;) -- Marwan Burelle, http://www.lri.fr/~burelle ( [EMAIL PROTECTED] | [EMAIL PROTECTED] ) http://www.cduce.org pgp5fWAUBGhLq.pgp Description: PGP signature
Re: ports security branch
On Tuesday 20 December 2005 11:49, Yann Golanski wrote: Quoth Melvyn Sopacua on Tue, Dec 20, 2005 at 11:43:55 +0100 I had one that was safe to run in cron (in fact it ran in periodic/daily), but uses a cvs tree of ports, not cvsup to save time[1]. I lost it with a disk crash, but was going to recreate it anyway, might as well do it now if people are interested. Yeah, I'm interested. How did you deal with ports doing a make config before updating?... That was the crunch for me -- hence lots of portupgrade hanging. Hmm, not sure why that's an issue. Maybe because I set PATH in my script? -- Melvyn Sopacua [EMAIL PROTECTED] FreeBSD 6.0-STABLE Qt: 3.3.5 KDE: 3.4.3 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security branch
On Tuesday 20 December 2005 12:03, Marwan Burelle wrote: Relying on the maintainer work is a good starting point, you may trust him for doing only the needed updates for those ports that requier security concerns. But even here, major updates of widely used libs imply rebuild of most of the ports, even when no security issue arises. No it doesn't. Only with static linking or when interfaces changed, which is not always the case. The fact that the gnome project is fond of changing library versions with every release doesn't mean there aren't sane projects. Typically security patches do not update library versions, allthough it is possible if the interface is insecure by design. Example: freetype was updated wc -l /var/db/pkg/freetype2-2.1.10_2/+REQUIRED_BY 111 /var/db/pkg/freetype2-2.1.10_2/+REQUIRED_BY Not a single port rebuilt, 111 packages re-packed, but that's it. -- Melvyn Sopacua [EMAIL PROTECTED] FreeBSD 6.0-STABLE Qt: 3.3.5 KDE: 3.4.3 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security branch
On Tue, Dec 20, 2005 at 12:15:30PM +0100, Melvyn Sopacua wrote: On Tuesday 20 December 2005 12:03, Marwan Burelle wrote: Relying on the maintainer work is a good starting point, you may trust him for doing only the needed updates for those ports that requier security concerns. But even here, major updates of widely used libs imply rebuild of most of the ports, even when no security issue arises. No it doesn't. Only with static linking or when interfaces changed, which is not always the case. The fact that the gnome project is fond of changing library versions with every release doesn't mean there aren't sane projects. Typically security patches do not update library versions, allthough it is possible if the interface is insecure by design. I think you don't understand my point. Regarding actual state of the ports tree, when some thing like gettext have a major version bumps, you need to rebuild most of the ports or do some tricks with links or libmap.conf (if the major number change wasn't justify) since when loading dynamic libs for an executable the major number is relevant. This just mean that you could not just do a cvsup+portupgrade, even if you just have security related apps, if you only want security updates, you first need to track which ports have security updates and hope that this doesn't not involve updating all the tree (for exemple, your port foo has move to a new version with security concerns on the old one, but at the same time this involve moving to the last version of libbar since its interface has changed and last foo use the new version, since libbar is widely used you now need updating most of your ports even if they don't have any security updates ... ) The point is not that this is always true, but that you have to handle those kinds of problems if you want to maintain a security branch for ports. -- Marwan Burelle, http://www.lri.fr/~burelle ( [EMAIL PROTECTED] | [EMAIL PROTECTED] ) http://www.cduce.org pgpfyvUeDNED2.pgp Description: PGP signature
Re: ports security branch
On Tuesday 20 December 2005 12:39, Marwan Burelle wrote: The point is not that this is always true, but that you have to handle those kinds of problems if you want to maintain a security branch for ports. The point is, that it is irrelevant. Ports are independant of the base system. There is no need for a security branch of the ports tree. The ports that rely on specifics in the base system, handle it themselves via BROKEN, FreeBSD_version and friends. The ports tree is only tagged for a specific release, so that release cdroms can be made. The only thing that makes sense is pre-compiled packages being updated for security branches of the base system - but, that is only worth-while if there's a large enough userbase that has an /etc/make.conf without NO_ flags. Since for example I have no need for Kerberos, I cannot use the FreeBSD provided packages for the ones that make sense, as they all link libgssapi (subversion pulls it in through www/neon, smbclient because of ports/90238 and thus kde*). -- Melvyn Sopacua [EMAIL PROTECTED] FreeBSD 6.0-STABLE Qt: 3.3.5 KDE: 3.4.3 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security branch
Marwan Burelle wrote: On Tue, Dec 20, 2005 at 02:18:13PM +0400, rihad wrote: A very interesting script for its own purpose, but I'm afraid this doesn't answer my question at all. Perhaps seeing the way that e.g. Debian deals with the upgrade problem might shed some light on the issue. Hell, FreeBSD does exactly that for the base world+kernel, too! Not for the ports, though. The debian way is too have a frozen tree and restraint updates, this induces at least a two level maintaining, one that follows on-the-edge updates and the other that only follow security updates. The problem is that most applications don't work like that, they don't maintain two branches, and thus you need (or the maintainer of the ports needs) to maintain a bunch of security patches for that app that doesn't have any dependance links (or at least only to other security updates ... ) This is a lot of work, and IMHO that's why debian stable is so often outdated (and some time completely obsolete.) This also raises questions like when should we move to the next/last release ?, Is that patch-set too important ? ... My own experience shows me that most of the time when you only need security updates, that means that your boxe is specialized in some way with a small set of installed ports and thus every updates in the tree for those ports are relevant. Otherwise, you may want to have up to date ports because it's providing you with shiny new features ;) I think Debian does an excellent job of taking the common load off of the shoulders of its users by providing security package updates with no changes in functionality wherever possible. Change in software functionality, configs, dependencies etc. almost always hurts, that's what Debian are trying to save its users from. Imagine: Foo 1.2.3 that was current at the time of FreeBSD 6.0 release gets a severe vuln after some time. Some admins upgrade to the latest and greatest Foo 1.2.9, others to Foo 1.2.7 (probably with not recently updated ports tree)... Still with me? Factoring this security upgrade path in the OS so that all users get the same fix and functionality is a very hard thing to do and maintain, I'd guess. FreeBSD's latest and greatest attitude is very relevant for desktop users and such. I think it would be even better to make security-conscious server admins' lives even better. Put up a box, forget about it, do a major upgrade in a year. Oversimplifying here... ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security branch
On Tuesday 20 December 2005 13:26, rihad wrote: Imagine: Foo 1.2.3 that was current at the time of FreeBSD 6.0 release gets a severe vuln after some time. Some admins upgrade to the latest and greatest Foo 1.2.9, others to Foo 1.2.7 (probably with not recently updated ports tree)... If 1.2.7 is secure, there is no problem. If 1.2.7 is not, portaudit will not let you upgrade. It seems to me, you need to farmiliarize yourself first with the mechanisms in place already, before shooting it. -- Melvyn Sopacua [EMAIL PROTECTED] FreeBSD 6.0-STABLE Qt: 3.3.5 KDE: 3.4.3 ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ports security branch
On Tuesday 20 December 2005 10:26, rihad wrote: FreeBSD's latest and greatest attitude is very relevant for desktop users and such. I think it would be even better to make security-conscious server admins' lives even better. Put up a box, forget about it, do a major upgrade in a year. Oversimplifying here... ___ I would not agree with you, even if the ports are getting better and better they are still a all-in-one-package and often not suitable for any adm especially the security-conscious one. A webserver or a router need some software only and well compiled and configured it is better than having a large ports-tree on the machine and then when upgrading some shit happens and some config is deleted like it used to be with mailman, spamassassin and others. The risk is too big. The ports collection is nice and easy for most users like it is but since you already compared to linux, I tell you that aptget or yum really seems to be better until you get in nasty troubles after compiling a new kernel and some packages do not work anymore. Then you go to love portupgrade again and the FreeBSD system is clearly better because the ports do not depend on kernel versions. Also you can portupgrade only some ports without running into too much dependency troubles. João A mensagem foi scaneada pelo sistema de e-mail e pode ser considerada segura. Service fornecido pelo Datacenter Matik https://datacenter.matik.com.br ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: ports security branch
On Tuesday, December 20, 2005 6:26 AM when we last met our heroes, [EMAIL PROTECTED] was heard to say: Sorry if this is a bit OT. I've already asked this on freebsd-questions@ but they told me there's no such thing at all. And they were correct. The overhead of managing such a thing correctly would be significant, probably more than the overhead of managing the base port itself. -- Rob | Oh my God! They killed init! You bastards! ___ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to [EMAIL PROTECTED]
