Subject: Re: The pkgsrc-2006Q1 branch
To: None <pkgsrc-users@NetBSD.org>
From: Anne Bennett <anne@porcupine.montreal.qc.ca>
List: pkgsrc-users
Date: 03/31/2006 14:11:11
Steven M. Bellovin responds to my query:
>> I have installed about 300 packages from source, based on 2005Q4
>> (and occasional updates to 2005Q4 since last December). What does
>> it mean to me in practice that 2005Q4 has been deprecated? Is it
>> expected that I would re-install all of my software every few
>> months? If not, how long will security patches continue to be made
>> on 2005Q4? If I want an update to a particular package as found
>> in a more recent pkgsrc branch, is there a way that this update
>> can coexist peacefully with the rest of my installed software,
>> short of giving it a whole separate directory hierarchy?
> Pkgsrc usually does not contain security bug fixes, though there are
> exceptions.
Sure; I have "cvs update"d shortly after audit-packages reported a
problem, and found that the problematic package had had the "nb" part
of its version number updated, and that appropriate patches had been
made. I have found this very helpful, though I admit that I have
often resorted to "make replace" to avoid unwanted recompilations and
updates. :-/
> The problem is that dependencies change.
I understand that, and I can only imagine the complexity of keeping the
dependencies properly synched.
I think I may not have expressed my question clearly. I'll try again,
at the risk of being verbose.
I've been using NetBSD on my home machine (well, a succession of
machines over the years) for about a decade, and still things happen
that make me realize that I don't completely understand the NetBSD
system administration model. This is frustrating in view of the
fact that I've been a Unix sysadmin for 15 years now - that is, I
don't think the fault is entirely my lack of understanding. I've
dealt in the past mainly with SunOS, early Solaris, Ultrix,
OSF1/Digital-Unix/Tru64, and a smattering of others such as MIPS
and Slackware Linux. Where I currently work, servers are mostly
Solaris (7, 8, 9) and RHEL 3.
I may or may not think that those vendors are doing a good job
(some are doing a terrible job, especially in view of whay we pay
them!), but I feel I do understand what they expect me to do in
terms of keeping the system patched. There is usually a system of
e-mailed alerts, and a way to apply needed patches.
With respect to NetBSD, the operating system, I'm happy with the
format of the recent security advisories: it's clear which systems
are affected, and what minimal change I need to make to get rid of
the problem (update such-and-such a file using this cvs command,
recompile and reinstall this package using that command, replace
the kernel, etc.). The only improvement I could imagine would be
a program similar to "audit-packages", which would notify me of
which updates needed to be applied on a particular system, so that
I would not have to keep track myself. But overall, for the O/S,
the alert+patch system works.
With respect to the pkg system, I'm not there yet.
> There are no great solutions here. You can periodically refresh your
> entire /usr/pkg tree; if you're lucky, you can do the rebuilds via
> pkg_comp in a chrooted partition. Or you can use pkg_chk to rebuild
> everything, or lintpkgsrc+pkgdepgraph to figure out what's out of
> date. About 1 time in 3 that I try this, I find that *something* won't
> rebuild.
Your answer makes me suspect that either you're in the same position
as I am, or, perhaps, the system administration model for pkgsrc is
not well developed yet. If we run audit-packages, as is recommended,
we get the alerts, and what's really nice is that we get alerted only
for actual vulnerable software that's installed. So part 1 works
really well.
But part 2, what to do about a vulnerable package, is the part that
either I have not understood, or has not been fully solved. It's
possible that the answer to it will be quite different from the answer
to the question of how I voluntarily upgrade a particular package (and
its dependency graph as needed) without trashing everything and
starting over.
I want to make it clear that it's not my intention to discourage
volunteers whose work I benefit from and whose expertise I admire;
on the contrary, you all have my gratitude. This O/S and pkg get
better all the time, and the fact that I continue using it speaks
eloquently, I hope.
But I think that the mental model for the system administration of
pkgsrc needs to be reviewed, or perhaps simply communicated more
clearly (I'll be embarrassed if this is on a web page somewhere, but
if so, I haven't seen it yet). In that spirit, I'd like to ask the
designers of the pkg system:
(a) When audit-packages tells me that an installed package has a
vulnerability, what actions do you recommend that I perform
in reaction to that report? (Each package's web page states "If
you have a vulnerable package installed on any machine, you are
advised to remove the package immediately" - which is not
terrifically helpful in practice!)
(b) When I want to upgrade a particular package (for example because
I need its new functionality), how do you recommend that I do
this, bearing in mind that I have a lot of other software
installed and in use on the system?
Anne.
--
Ms. Anne Bennett, as a private citizen: anne@porcupine.montreal.qc.ca
Also reachable more officially at work: anne@encs.concordia.ca