Discussion:
NetBSD Security Advisory 2014-006
Ray Phillips
2014-06-16 08:53:01 UTC
Permalink
Since there aren't going to be binaries containing the latests fixes
to ssh on nyftp.netbsd.org for a while, would someone post step by
step instructions to get the updated source code, compile it and
replace the faulty pieces of NetBSD please? The advisory just says
"Update src and rebuild and install." which is a bit too vague for me.

The machines I'm responsible for are running NetBSD/i386 6.1.4. It
seems the latest vulnerabilites are serious enough that machines
shouldn't be left running with them, so I'd rather not wait until
6.1.5 is released to repair them.


Ray
Manuel Bouyer
2014-06-16 11:20:59 UTC
Permalink
On Mon, Jun 16, 2014 at 06:53:01PM +1000, Ray Phillips wrote:
> Since there aren't going to be binaries containing the latests fixes to ssh
> on nyftp.netbsd.org for a while,

builds have started again since yesterday.


> would someone post step by step
> instructions to get the updated source code, compile it and replace the
> faulty pieces of NetBSD please? The advisory just says "Update src and
> rebuild and install." which is a bit too vague for me.
>
> The machines I'm responsible for are running NetBSD/i386 6.1.4. It seems
> the latest vulnerabilites are serious enough that machines shouldn't be left
> running with them, so I'd rather not wait until 6.1.5 is released to repair
> them.

So you probably want:
cvs checkout -d ***@anoncvs.netbsd.org:/cvsroot co -r netbsd-6-1 -P src
cd src
./build.sh -u -j2 -U release
this should build a distribution, i.e. the base.tgz, comp.tgz, etc ... files
in some subdirectory.

--
Manuel Bouyer <***@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
Ottavio Caruso
2014-06-16 12:08:27 UTC
Permalink
On 16 June 2014 13:20, Manuel Bouyer <***@antioche.eu.org> wrote:
> On Mon, Jun 16, 2014 at 06:53:01PM +1000, Ray Phillips wrote:
>> Since there aren't going to be binaries containing the latests fixes to ssh
>> on nyftp.netbsd.org for a while,
>
> builds have started again since yesterday.

When are we going to see the first sets in binaries?

--
Ottavio
Manuel Bouyer
2014-06-16 13:28:42 UTC
Permalink
On Mon, Jun 16, 2014 at 02:08:27PM +0200, Ottavio Caruso wrote:
> On 16 June 2014 13:20, Manuel Bouyer <***@antioche.eu.org> wrote:
> > On Mon, Jun 16, 2014 at 06:53:01PM +1000, Ray Phillips wrote:
> >> Since there aren't going to be binaries containing the latests fixes to ssh
> >> on nyftp.netbsd.org for a while,
> >
> > builds have started again since yesterday.
>
> When are we going to see the first sets in binaries?

a netbsd-6 build is already there but looks incomplete.
a HEAD build should also be there.

I've scheduled builds for release branches for the next round of builds,
they should show up in the next 24 hours or so.

--
Manuel Bouyer <***@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
Manuel Bouyer
2014-06-16 14:02:22 UTC
Permalink
On Mon, Jun 16, 2014 at 03:39:15PM +0200, Ottavio Caruso wrote:
> On 16 June 2014 15:28, Manuel Bouyer <***@antioche.eu.org> wrote:
> > a HEAD build should also be there.
>
> Thanks, I've noticed that now.
>
> Which leads me to the next question: where are the docs for the releng layout:
>
> HEAD/
> HEAD-lint/
> HEAD-llvm/
> HEAD-mkkyua/
>
> Ok, I guess HEAD is built from -current, but lint, llym and mkkkyua?
> Developers' or machines' names?

build settings:
llvm is a buidl with llvm/clang compiler instead of gcc (MKLLVM=yes)
lint is a build with lint (MKLINT=yes)
mkkyua is a built with kyua instead of atf (MKKYUA=yes)

--
Manuel Bouyer <***@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
Ottavio Caruso
2014-06-16 13:39:15 UTC
Permalink
On 16 June 2014 15:28, Manuel Bouyer <***@antioche.eu.org> wrote:
> a HEAD build should also be there.

Thanks, I've noticed that now.

Which leads me to the next question: where are the docs for the releng layout:

HEAD/
HEAD-lint/
HEAD-llvm/
HEAD-mkkyua/

Ok, I guess HEAD is built from -current, but lint, llym and mkkkyua?
Developers' or machines' names?

I couldn't find any mention of them in the general docs.





--
Ottavio
David Lord
2014-06-16 11:49:46 UTC
Permalink
On 16 Jun 2014 at 18:53, Ray Phillips wrote:

> Since there aren't going to be binaries containing the latests fixes
> to ssh on nyftp.netbsd.org for a while, would someone post step by
> step instructions to get the updated source code, compile it and
> replace the faulty pieces of NetBSD please? The advisory just says
> "Update src and rebuild and install." which is a bit too vague for me.
>
> The machines I'm responsible for are running NetBSD/i386 6.1.4. It
> seems the latest vulnerabilites are serious enough that machines
> shouldn't be left running with them, so I'd rather not wait until
> 6.1.5 is released to repair them.
>

Hi

I've been using sysutils/sysbuild + sysutils/sysbuild-user
from pkgsrc. The package is still broken but only requires
${SYSBUILD_BINDIR="/usr/pkg"} to point to /usr/pkg/bin.

I use the default incremental builds which are quite fast
after the first pass. Only downside for me is that each of
my /home/sysbuild/nbsd-ver_arch/ directories needs > 20G
disk space. It's probably possible to run multiple
ver/arch from a single directory but my build pc with
2G ram ground to a halt with all swap+memory used up.


David

>
> Ray
Roy Bixler
2014-06-16 23:26:07 UTC
Permalink
On Mon, Jun 16, 2014 at 11:49:46AM -0000, David Lord wrote:
> On 16 Jun 2014 at 18:53, Ray Phillips wrote:
>
> > Since there aren't going to be binaries containing the latests fixes
> > to ssh on nyftp.netbsd.org for a while, would someone post step by
> > step instructions to get the updated source code, compile it and
> > replace the faulty pieces of NetBSD please? The advisory just says
> > "Update src and rebuild and install." which is a bit too vague for me.
> >
> > The machines I'm responsible for are running NetBSD/i386 6.1.4. It
> > seems the latest vulnerabilites are serious enough that machines
> > shouldn't be left running with them, so I'd rather not wait until
> > 6.1.5 is released to repair them.
>
> I've been using sysutils/sysbuild + sysutils/sysbuild-user
> from pkgsrc. The package is still broken but only requires
> ${SYSBUILD_BINDIR="/usr/pkg"} to point to /usr/pkg/bin.
>
> I use the default incremental builds which are quite fast
> after the first pass. Only downside for me is that each of
> my /home/sysbuild/nbsd-ver_arch/ directories needs > 20G
> disk space. It's probably possible to run multiple
> ver/arch from a single directory but my build pc with
> 2G ram ground to a halt with all swap+memory used up.

I'm just getting into this myself, both for reasons of a device driver
problem I was having (see recent "timeout on siside0" thread for
details) and for the SSL security update. I use the old-fashioned
method of building from source with CVS as described in the Guide. It
took about the amount of space I would expect until I decided to try
the "live-image" option, which adds around 10 Gig. to the space
requirement. In contrast, building the "iso-image" didn't take nearly
as much of a hit. I haven't used the sysbuild package, but perhaps
this is what you're seeing?

By the way, I like the live-image, which works fine once built, but I
haven't seen much documentation on it.

--
Roy Bixler <***@nyx.net>
"The fundamental principle of science, the definition almost, is this: the
sole test of the validity of any idea is experiment."
-- Richard P. Feynman
David Lord
2014-06-17 10:29:22 UTC
Permalink
On 16 Jun 2014 at 17:26, Roy Bixler wrote:

> On Mon, Jun 16, 2014 at 11:49:46AM -0000, David Lord wrote:
....
> >
> > I use the default incremental builds which are quite fast
> > after the first pass. Only downside for me is that each of
> > my /home/sysbuild/nbsd-ver_arch/ directories needs > 20G
> > disk space. It's probably possible to run multiple
> > ver/arch from a single directory but my build pc with
> > 2G ram ground to a halt with all swap+memory used up.
>
> I'm just getting into this myself, both for reasons of a device driver
> problem I was having (see recent "timeout on siside0" thread for
> details) and for the SSL security update. I use the old-fashioned
> method of building from source with CVS as described in the Guide. It
> took about the amount of space I would expect until I decided to try
> the "live-image" option, which adds around 10 Gig. to the space
> requirement. In contrast, building the "iso-image" didn't take nearly
> as much of a hit. I haven't used the sysbuild package, but perhaps
> this is what you're seeing?
>

Hi

Probably but disk space hasn't been any problem for me
over past few years.


Twice weekly builds:
20G nbsd-6_1386/ tools, 6x kernels, release, iso-image,
install-image, live-image

Weekly builds:
18G nbsd-6_amd64/ tools, release, iso-image, install-image,
live-image

23G nbsd-cur_i386/ tools, release, iso-image, install-image,
live-image

18G nbsd-cur_amd64/ tools, 1x kernel, release, iso-image,
install-image, live-image


My internet routers, servers and lan pcs were all nbsd-6/i386
but a couple of lan pcs were amd64 with > 3G ram and these
are now running nbsd-cur/amd64.


David
Loading...