[OpenIndiana-discuss] OI roadmap (for production)

Paul Johnston paul.johnston at manchester.ac.uk
Mon Dec 7 16:24:31 UTC 2015 

You around tomorrow?

Paul

-----Original Message-----
From: Tim Mooney [mailto:Tim.Mooney at ndsu.edu] 
Sent: 07 December 2015 15:28
To: Discussion list for OpenIndiana
Subject: Re: [OpenIndiana-discuss] OI roadmap (for production)

In regard to: Re: [OpenIndiana-discuss] OI roadmap (for production), Stefan...:

> first of all, don't get me wrong. It wasn't the difference in security 
> fix frequency that I called a good point but the relevance of it. I 
> sure would not insult those keeping my favorite server OS alive! And 
> great to hear that the security alerts / CVEs are being patched on a 
> regular basis.
>
> As so often, this simply might be a matter of missing information. Is 
> there a CVE patch log? The current release notes under 
> http://wiki.openindiana.org/oi/Release+Notes don't seem to list any.

Yes, that's more my fault than Stefan's.  Stefan was responding to my comment.

I'm happy to see posts from both Alexander and Jim indicating that security issues are being addressed.

Based solely on posts to the list and page updates in the wiki, it's obvious that you two do a lot related to OI; it just wasn't clear to me that /dev was getting much attention (I know /hipster is the focus).

What would help me (and hopefully others) is if there were documentation on how we can verify whether an OI /dev package includes a particular patch.  Does that documentation exist?

Part of the issue is that if I run the software update utility or pkg update and there haven't been any package updates in months, it's hard to know whether a particular vulnerability has been patched.  At least on Linux, it's very easy to go back to the vendor package source and check to see if a particular patch is included.

Take libpng for example.  The latest OI /dev ships is 1.4.12.  Everything before 1.4.17 is vulnerable to CVE-2015-7981 and CVE-2015-8126.  Let's say that I had just installed a8 today and then updated to a9, so I didn't know whether libpng had been patched or not.  How would I check?

First I have to figure out if libpng is part of illumos or whether it's part of OI.  How do I determine that?  Check

 	https://github.com/illumos/illumos-gate

and see if it's there, and then check

 	https://github.com/illumos/illumos-userland

and if it's not listed in either, than it's OI?  Is that the best way to tell?

Once I figure out if a particular component comes from illumos or is specific to OI /dev, what then?  Check to see if there's a patch committed to -gate, -userland, or the OI equivalent?

I'm trying to find a way to verify component security that doesn't rely on more work from the few people that are already doing the security work, but it's not clear what a good method is to perform that verification.

Tim
-- 
Tim Mooney                                             Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure                  701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building                  701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

_______________________________________________
openindiana-discuss mailing list
openindiana-discuss at openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

More information about the openindiana-discuss mailing list