Discussion:
Binary solution for security advisory 2014-009..012?
J. Lewis Muir
2014-09-19 14:53:15 UTC
Permalink
Hello, NetBSD Users.

In the NetBSD security advisories released on September 8 (i.e. 2014-009
to 2014-012 [1][2][3][4]) there are no binary-only instructions; the
only instructions are for compiling from source.

I'm not adverse to compiling from source, but so far I have avoided
needing to do that and have simply applied binary fixes according to
the instructions in each security advisory. (I'm running 6.1.4.) My
question, then, is what is the normal way to stay fully patched when
running the latest stable version not compiled from source? Is it
normal to try to do what I've been doing, and the security advisories
noted above should have included binary instructions but didn't? Or
is it basically required that I have a full source tree and be able to
compile the kernel and userland in order to address security advisories?

Thank you!

Lewis

[1] http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-009.txt.asc
[2] http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-010.txt.asc
[3] http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-011.txt.asc
[4] http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-012.txt.asc
Christos Zoulas
2014-09-19 19:13:51 UTC
Permalink
Post by J. Lewis Muir
Hello, NetBSD Users.
In the NetBSD security advisories released on September 8 (i.e. 2014-009
to 2014-012 [1][2][3][4]) there are no binary-only instructions; the
only instructions are for compiling from source.
I'm not adverse to compiling from source, but so far I have avoided
needing to do that and have simply applied binary fixes according to
the instructions in each security advisory. (I'm running 6.1.4.) My
question, then, is what is the normal way to stay fully patched when
running the latest stable version not compiled from source? Is it
normal to try to do what I've been doing, and the security advisories
noted above should have included binary instructions but didn't? Or
is it basically required that I have a full source tree and be able to
compile the kernel and userland in order to address security advisories?
Thank you!
Lewis
[1]
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-009.txt.asc
[2]
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-010.txt.asc
[3]
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-011.txt.asc
[4]
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-012.txt.asc
All four are kernel related, so you just need to get a fresh kernel and modules
from the build cluster; alas it is down right now, but it should be up tonight.

http://nyftp.netbsd.org/pub/NetBSD-daily/netbsd-6-1/201409140210Z/

christos
Greg Troxel
2014-09-19 23:01:29 UTC
Permalink
For me, the normal thing is to build from source with BUILD-NetBSD and
do an overlay install with INSTALL-NetBSD from
pkgsrc/sysutils/etcmanage, following netbsd-6 (or -5 or -7). Once you
get etcmanage set up, this is nearly trivial, and updates lots of fixes,
not just security patches.

Note that the above is basically "prepare binary update" and "install
binary update".

But, I agree that it would be nice to have a binary auto-update
mechanism supported.
J. Lewis Muir
2014-09-23 18:01:50 UTC
Permalink
Post by Greg Troxel
For me, the normal thing is to build from source with
BUILD-NetBSD and do an overlay install with INSTALL-NetBSD from
pkgsrc/sysutils/etcmanage, following netbsd-6 (or -5 or -7). Once
you get etcmanage set up, this is nearly trivial, and updates lots of
fixes, not just security patches.
Hi, Greg.

OK, I've started to try that.

Thanks for the suggestion!

Lewis

Loading...