[OpenIndiana-discuss] OI roadmap (for production)

Tue Dec 8 11:14:54 UTC 2015

7 декабря 2015 г. 17:24:31 CET, Paul Johnston <paul.johnston at manchester.ac.uk> пишет:
>You around tomorrow?
>
>Paul
>
>-----Original Message-----
>From: Tim Mooney [mailto:Tim.Mooney at ndsu.edu] 
>Sent: 07 December 2015 15:28
>To: Discussion list for OpenIndiana
>Subject: Re: [OpenIndiana-discuss] OI roadmap (for production)
>
>In regard to: Re: [OpenIndiana-discuss] OI roadmap (for production),
>Stefan...:
>
>> first of all, don't get me wrong. It wasn't the difference in
>security 
>> fix frequency that I called a good point but the relevance of it. I 
>> sure would not insult those keeping my favorite server OS alive! And 
>> great to hear that the security alerts / CVEs are being patched on a 
>> regular basis.
>>
>> As so often, this simply might be a matter of missing information. Is
>
>> there a CVE patch log? The current release notes under 
>> http://wiki.openindiana.org/oi/Release+Notes don't seem to list any.
>
>Yes, that's more my fault than Stefan's.  Stefan was responding to my
>comment.
>
>I'm happy to see posts from both Alexander and Jim indicating that
>security issues are being addressed.
>
>Based solely on posts to the list and page updates in the wiki, it's
>obvious that you two do a lot related to OI; it just wasn't clear to me
>that /dev was getting much attention (I know /hipster is the focus).
>
>What would help me (and hopefully others) is if there were
>documentation on how we can verify whether an OI /dev package includes
>a particular patch.  Does that documentation exist?
>
>Part of the issue is that if I run the software update utility or pkg
>update and there haven't been any package updates in months, it's hard
>to know whether a particular vulnerability has been patched.  At least
>on Linux, it's very easy to go back to the vendor package source and
>check to see if a particular patch is included.
>
>Take libpng for example.  The latest OI /dev ships is 1.4.12. 
>Everything before 1.4.17 is vulnerable to CVE-2015-7981 and
>CVE-2015-8126.  Let's say that I had just installed a8 today and then
>updated to a9, so I didn't know whether libpng had been patched or not.
> How would I check?
>
>First I have to figure out if libpng is part of illumos or whether it's
>part of OI.  How do I determine that?  Check
>
> 	https://github.com/illumos/illumos-gate
>
>and see if it's there, and then check
>
> 	https://github.com/illumos/illumos-userland
>
>and if it's not listed in either, than it's OI?  Is that the best way
>to tell?
>
>Once I figure out if a particular component comes from illumos or is
>specific to OI /dev, what then?  Check to see if there's a patch
>committed to -gate, -userland, or the OI equivalent?
>
>I'm trying to find a way to verify component security that doesn't rely
>on more work from the few people that are already doing the security
>work, but it's not clear what a good method is to perform that
>verification.
>
>Tim

Might it make sense to use some pkg(5) metadata to list the cve's known covered by a particular release+patch recipe used in the build? I know i'd quickly stop maintaining such data though, but there may be even pedantical people than mysekf out there ;) And for a commercialized or otherwise paid effort, someone could be doing this sysiphus task. Anyhow, someone has to revise if a cve applies to our code and write down the inspection results somewhere - might as well accompany the relevant code snapshot.

reminds me sort of like sun's patch readmes with lists of changelogs and bugids and errata...
--
Typos courtesy of K-9 Mail on my Samsung Android