[OpenIndiana-discuss] OI roadmap (for production)

Mon Dec 7 15:27:53 UTC 2015

In regard to: Re: [OpenIndiana-discuss] OI roadmap (for production), Stefan...:

> first of all, don't get me wrong. It wasn't the difference in security
> fix frequency that I called a good point but the relevance of it. I sure
> would not insult those keeping my favorite server OS alive! And great to
> hear that the security alerts / CVEs are being patched on a regular
> basis.
>
> As so often, this simply might be a matter of missing information. Is
> there a CVE patch log? The current release notes under
> http://wiki.openindiana.org/oi/Release+Notes don't seem to list any.

Yes, that's more my fault than Stefan's.  Stefan was responding to my
comment.

I'm happy to see posts from both Alexander and Jim indicating that security
issues are being addressed.

Based solely on posts to the list and page updates in the wiki, it's
obvious that you two do a lot related to OI; it just wasn't clear to
me that /dev was getting much attention (I know /hipster is the focus).

What would help me (and hopefully others) is if there were documentation
on how we can verify whether an OI /dev package includes a particular
patch.  Does that documentation exist?

Part of the issue is that if I run the software update utility or pkg
update and there haven't been any package updates in months, it's hard
to know whether a particular vulnerability has been patched.  At least
on Linux, it's very easy to go back to the vendor package source and
check to see if a particular patch is included.

Take libpng for example.  The latest OI /dev ships is 1.4.12.  Everything
before 1.4.17 is vulnerable to CVE-2015-7981 and CVE-2015-8126.  Let's
say that I had just installed a8 today and then updated to a9, so I didn't
know whether libpng had been patched or not.  How would I check?

First I have to figure out if libpng is part of illumos or whether it's
part of OI.  How do I determine that?  Check

 	https://github.com/illumos/illumos-gate

and see if it's there, and then check

 	https://github.com/illumos/illumos-userland

and if it's not listed in either, than it's OI?  Is that the best way to
tell?

Once I figure out if a particular component comes from illumos or is
specific to OI /dev, what then?  Check to see if there's a patch committed
to -gate, -userland, or the OI equivalent?

I'm trying to find a way to verify component security that doesn't rely
on more work from the few people that are already doing the security work,
but it's not clear what a good method is to perform that verification.

Tim
-- 
Tim Mooney                                             Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure                  701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building                  701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164