Subject: Re: Handling of security reports for bootstrapped pkgsrc tools on
To: John Klos <john@ziaspace.com>
From: Adrian Portelli <adrianp@stindustries.net>
List: tech-security
Date: 01/10/2005 09:50:28
As I see it there are a number of binaries that could be installed by 
the bootstrap process depending on which OS you are on:

pax, mtree, sed, libnbcompat, bmake, tnftp, digest and pkg_install
(am I missing any ?)

There could also be some other script/tools installed by bootstrap its self:

bmake, strip and bsd_install

Now for the first list it looks like the bootstrap process just dives 
into the relevant part of pkgsrc src and builds and installs the 
packages it needs.  So we should look to maybe adding some extra entries 
to the initial pkgdbdir that's created to cover these.  That way an 
audit-packages run will pick these up.

Now for the second list . . . an entry for bootstrap its self in pkgdbdir ?

adrian.

John Klos wrote:
>> I've a question about reporting security issues with pkgsrc tools that 
>> are installed on non-NetBSD systems via the bootstrap package. Since 
>> they're not actually recorded as packages (except for digest), they 
>> can't be audited by audit-packages.  Consequently, if an issue arises, 
>> as one with tnftp has recently, how is communication of this fact 
>> handled? Perhaps this is the first time it's come up?
> 
> 
> Good point. But is there ever an instance where audit-packages is used 
> on a system where pkgsrc tools are not? This seems to be a good 
> candidate for a special case for audit-packages to check the version of 
> pkg_tools so that insecurities can be reported (pkg_info -V, for 
> instance). That'd just need to be added to audit-packages.
> 
> John Klos
> 
>