[OpenIndiana-discuss] OI roadmap (for production)

Mon Dec 7 16:23:19 UTC 2015

Hello.

Tim Mooney писал 07.12.2015 18:27:
> In regard to: Re: [OpenIndiana-discuss] OI roadmap (for production), 
> Stefan...:
> 
>> first of all, don't get me wrong. It wasn't the difference in security
>> fix frequency that I called a good point but the relevance of it. I 
>> sure
>> would not insult those keeping my favorite server OS alive! And great 
>> to
>> hear that the security alerts / CVEs are being patched on a regular
>> basis.
>> 
>> As so often, this simply might be a matter of missing information. Is
>> there a CVE patch log? The current release notes under
>> http://wiki.openindiana.org/oi/Release+Notes don't seem to list any.
> 

> 
> Based solely on posts to the list and page updates in the wiki, it's
> obvious that you two do a lot related to OI; it just wasn't clear to
> me that /dev was getting much attention (I know /hipster is the focus).

That's not true. The last fix which appeared in /dev was bash 
shellshock.
Hipster receives more attention (but much less then needed).

> 
> What would help me (and hopefully others) is if there were 
> documentation
> on how we can verify whether an OI /dev package includes a particular
> patch.  Does that documentation exist?

For /hipster to check if particular package contains necessary fix, you 
should look at particular component
at https://github.com/OpenIndiana/oi-userland/tree/oi/hipster/components 
.
For /dev it's more complicated, as source code lives in several 
different repositories,
most of them could be found here - 
https://hg.openindiana.org/sustaining/oi_151a/

> Take libpng for example.  The latest OI /dev ships is 1.4.12.  
> Everything
> before 1.4.17 is vulnerable to CVE-2015-7981 and CVE-2015-8126.  Let's
> say that I had just installed a8 today and then updated to a9, so I 
> didn't
> know whether libpng had been patched or not.  How would I check?

It wasn't patched in /dev. In /hipster we ship 1.4.17.

> 
> First I have to figure out if libpng is part of illumos or whether it's
> part of OI.  How do I determine that?

On OI Hipster the easiest way is to check package attributes. If pkg 
contents -m PACKAGE shows
illumos-gate.info* attributes, it's a part of illumos-gate, if it shows 
userland.info.* (and not illumos-gate.info*), it's part of oi-userland 
or some other build system, linked to oi-userland, like slim_source), 
otherwise it wasn't rebuilt since OI /dev.

> Check
> 
> 	https://github.com/illumos/illumos-gate
> 
> and see if it's there, and then check
> 
> 	https://github.com/illumos/illumos-userland

illumos-userland is dead. OI Hipster code lives under 
https://github.com/OpenIndiana/oi-userland/.

https://github.com/OpenIndiana/oi-userland/illumos-gate was expected to 
become base of new /dev.

> Once I figure out if a particular component comes from illumos or is
> specific to OI /dev, what then?  Check to see if there's a patch 
> committed
> to -gate, -userland, or the OI equivalent?
> 
> I'm trying to find a way to verify component security that doesn't rely
> on more work from the few people that are already doing the security 
> work,
> but it's not clear what a good method is to perform that verification.

It would be interesting to see such analysis, but I don't think it's 
possible to fully automate this task.
I'd look at package versions. If they less, then upstream versions, 
containing fix, I'd look at oi-userland component or illumos-gate 
changelog for affected code.

---
System Administrator of Southern Federal University Computer Center