[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Thu, 21 Feb 2008 09:37:54 +0100 (CET)
From: "Pierre-Yves Rofes" <py@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: code review CVS
On Thu, February 21, 2008 7:24 am, Vincent Danen wrote:
> * [2008-02-20 17:51:47 -0800] Kees Cook wrote:
>
>>> I like the patch idea, however. A "vendor patch" database of sorts
>>> would be nice (would save me from hunting from, say, ubuntu packages
>>> for
>>> a patch for something they already fixed, or looking at ubuntu for one,
>>> and SUSE for another because of version differences).
>>
>>I'd really like to have at least a "how to find a patch for [distro],
>>release [version]". I have an easier time finding Debian patches,
>>for example, since http://snapshot.debian.net/ exists. Ubuntu is a
>>bit less patch-hunter-friendly in that regard, but we try to alway keep
>>patches external to from the source tree, so they're easy to locate from
>>change logs. Doing this with src.rpms follows a similar convention,
>>but can sometimes get tricky too. Finding them can sometimes be a chore
>>-- I always bang my head when looking for RHEL src.rpms. :)
[...]
> And I'd *love* to see what the Gentoo folks will link to.. =) They have
> to be the biggest head-scratcher for me.
>
It's true that we currently don't have a centralized place for patches,
maybe we should work something out. For now, I'd say that the best option
is to use:
http://sources.gentoo.org/viewcvs.py/gentoo-x86/<category>/<pkg>/
Then all patches should be in the "files" directory.
e.g. you want the last patch for an integer overflow in tcpdump, you'll
find it in:
http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-analyzer/tcpdump/files/
But FYI, we generally use the patches from Debian :)
--
Pierre-Yves Rofes
Gentoo Linux Security Team
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux