Subject: Re: NetBSD Security Advisory 2007-004: Insufficient length
To: Anne Bennett <>
From: Alan Barrett <>
List: tech-security
Date: 07/28/2007 21:19:46
On Sat, 28 Jul 2007, Anne Bennett wrote:
> I have tried this (cd /usr/src; cvs update sys/netiso/clnp_subr.c) and
> as far as I can tell by the date stamps on clnp_subr.c (mod time
> 2005-02-26, ctime 2007-01-16 which is when I installed the system), I
> am not getting updated code.  This is NetBSD 3.1 release (based on the
> contents of /usr/src/CVS/Tag: Nnetbsd-3-1-RELEASE).

That's a release tag, not a branch tag, so "cvs update" will do nothing.
If you had a branch tag, such as "netbsd-3-1" or "netbsd-3" instead of
"netbsd-3-1-RELEASE", then "cvs update" would attempt to update to a
later revision on the same branch.

"cvs update -r netbsd-3-1 ${filename}" should do the right thing.  I
suppose the instructions in the security advisory should be improved.

It would also be possible to change the process for creating the source
tarballs that are shipped with releases, such that they appear to
contain a branch tag instead of a release tag.  For example, a recursive
search and replace in all src/**/CVS/Tag files could be performed before
rolling the tarballs.

--apb (Alan Barrett)