On Thu, Sep 06, 2001 at 01:57:57PM -0400, Steven M. Bellovin wrote:
> The instructions here don't (quite?) work.  I'll focus on the 1.5 
> version, but I think there are bugs in the others as well.
> 
> First, 'patch' says that it can't find the file.  I suspect that I have 
> to use -p3.

That's a good suggestion. I'll discuss that with the Security Officers,
and we'll probably add it to our advisory template.

>  Second, will that 'make' recompile the entire world, or 
> just libc?  I'd guess the former -- shouldn't there be a 'cd lib/libc'
> before the make?

Yes there should be. I'll fix that right now.

> Finally -- and this ties in to another thread -- this is no way to run 
> an airline.  At least for "supported" systems, it would be nice to have 
> a tarball with the recompiled libc plus the static binaries listed 
> below.  In fact, it's not just nice, it's essential, since everyone 
> with more than one machine will now need to create such tarballs for 
> themselves.  (Multiple architectures?  Of course there are multiple 
> architectures.  How do you know the code works, or even compiles, on 
> those architectures if you haven't tried it?)  I also note that FreeBSD 
> has an experimental binary patch facility, and OpenBSD has a cumulative 
> tarball with all patches.

There's no simple answer to the above. The Security Officers endeavour
to provide as complete a service as possible with the volunteer
resources available. There are many things that could be improved - some
take time to setup, some require ongoing resources. A good way to
prepare, test, release, and install binary patches is something we have
an interest in, but there's no complete solution yet.

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Although some of you out
there might find a microwave oven controlled by a Unix system an attractive
idea, controlling a microwave oven is easily accomplished with the smallest
of microcontrollers. - Russ Hersch - (Microcontroller primer and FAQ)