On Wed, 27 Sep 2000 09:16:45 +0100 (BST), David Brownlee wrote:

> On Wed, 27 Sep 2000, Nick Boyce wrote:
>=20
> > I wasn't sure where to find file src/libexec/ftpd/ftpd.c; I've now
> > tracked it down to being included in sys.tgz (is that the right place
> > ?) - and downloaded that from
> > ftp.netbsd.org/pub/NetBSD/NetBSD-1.4.2/source/sets to
> > /usr/local/updates on my box.
> >=20
> 	Hmm - syssrc.tgz should be the kernelsource - it should be in
> 	'src.tgz'.

Sorry - you're quite right - I meant "src.tgz" - I was away from the
box while typing that message ...

[...]
> > (I) applied the patch ... and got the following binary :
> >   -rwxr-xr-x  1 root  wheel  109383 Sep 26 20:57 ftpd
> >=20
> > But this binary is considerably larger than the released 1.4.2=20
> > binary :
> >   # ls -l /usr/libexec/ftpd
> >   -r-xr-xr-x  1 root  wheel  85460 Mar  3  2000 /usr/libexec/ftpd
[...]
> 	It may be that its stripped when being installed - try 'strip
> 	ftpd'.

That seems to be it - I ran 'strip ftpd' and got a binary of exactly
the same size as the release version.

> > Also, how should I install the new binary ?  Using "make install", or
> > do I just copy the binary to /usr/libexec and make sure it's
> > permissions are set the same as the original ?
> >=20
> 	'make install' should do the right thing.

Thanks (noting the comment from Manuel Bouyer that I would also need
to extract src/libexec/Makefile.inc from the tarball in order for
'make install' to work).

>   ... When you
> 	have everything working your end would you be willing to
> 	contribute a set of notes?

I'd be happy to - I'm already building a document - where should I
send it for review ?   And what format - plain text, or HTML in the
style of a www.netbsd.org webpage ?

One final issue - problem even: I note that the patch doesn't change
the daemon's version string - it hasn't changed from=20

  220 rccnx4 FTP server (Version: 7.1.0) ready.

So how are we to tell that the patch is in ?
(You know - my successor, after I've gone, and nobody can find the
system documentation ;-).  Satan-style vulnerability scanners wouldn't
know what to think either (which might be a good thing :-).

I wondered whether I should post this query to the tech-security list,
but I note that that doesn't seem to be an active list (last posting
in Dec 1999 !?), and I also guess the NetBSD project likes things the
way they are on this point.  What's the score here ?

I realise a simple version number increment doesn't really cover it
(some people might not apply every patch), but maybe a "patch-present"
bitmap, displayed as a hex string ...

Thanks to you & Manuel your help.
Nick Boyce
Bristol, UK

--
"A *real* smart bomb would call in sick, perhaps move to another
country, changing its name in the process, open a beach bar maybe
and live out its days in safe anonymity."=A0 -- Barry O'Neill in rhod