[OpenIndiana-discuss] OI roadmap (for production)

Tim Mooney Tim.Mooney at ndsu.edu
Mon Dec 7 18:25:44 UTC 2015 

In regard to: Re: [OpenIndiana-discuss] OI roadmap (for production),...:

>> What would help me (and hopefully others) is if there were documentation
>> on how we can verify whether an OI /dev package includes a particular
>> patch.  Does that documentation exist?
>
> For /hipster to check if particular package contains necessary fix, you should 
> look at particular component
> at https://github.com/OpenIndiana/oi-userland/tree/oi/hipster/components .
> For /dev it's more complicated, as source code lives in several different 
> repositories,
> most of them could be found here - 
> https://hg.openindiana.org/sustaining/oi_151a/

Thanks, that information is very helpful.

>> First I have to figure out if libpng is part of illumos or whether it's
>> part of OI.  How do I determine that?
>
> On OI Hipster the easiest way is to check package attributes. If pkg contents 
> -m PACKAGE shows
> illumos-gate.info* attributes, it's a part of illumos-gate, if it shows 
> userland.info.* (and not illumos-gate.info*), it's part of oi-userland
> or some other build system, linked to oi-userland, like slim_source),
> otherwise it wasn't rebuilt since OI /dev.

Ok, that's a big help, at least for hipster.  I had wondered if there
was a way to find the package provenance using the pkg command, but
couldn't find anything with the attempts I made.  Of course, I'm on
/dev, not hipster, so it looks like 'pkg contents -m' won't necessarily
help me figure out what "upstream" is for the package.

>> 	https://github.com/illumos/illumos-gate
>> 
>> and see if it's there, and then check
>>
>> 	https://github.com/illumos/illumos-userland
>
> illumos-userland is dead. OI Hipster code lives under 
> https://github.com/OpenIndiana/oi-userland/.

You're talking about hipster, but my original post in this thread
was specifically about /dev.

> https://github.com/OpenIndiana/oi-userland/illumos-gate was expected to
> become base of new /dev.
>
>> Once I figure out if a particular component comes from illumos or is
>> specific to OI /dev, what then?  Check to see if there's a patch committed
>> to -gate, -userland, or the OI equivalent?
>> 
>> I'm trying to find a way to verify component security that doesn't rely
>> on more work from the few people that are already doing the security work,
>> but it's not clear what a good method is to perform that verification.
>
> It would be interesting to see such analysis, but I don't think it's possible 
> to fully automate this task.

Probably not.  That's more ambitious than I was trying to be; even being
able to manually follow a trail to determine whether security issues
have been addressed is better than having no idea, though.

> I'd look at package versions. If they less, then upstream versions,
> containing fix, I'd look at oi-userland component or illumos-gate
> changelog for affected code.

But oi-userland is for hipster, not /dev, so I'm still left trying to find
where "upstream" is and whether or not it includes a particular patch
for some security issue.

Tim
-- 
Tim Mooney                                             Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure                  701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building                  701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

More information about the openindiana-discuss mailing list