Userland patch level

[Dag-Erling Smørgrav]

Peter Wemm <peter at wemm.org> writes:
> IMHO, promoting the parsing strings like this is fraught with danger.  The
> canonical one-true-version is __FreeBSD_version, I'd much rather encourage
> people to refer to that, and it is available in newvers.sh in the same way
> that you're building it now.

The kernel and userland versions do not necessarily match, even in
supported configurations.

newvers.sh is not necessarily available at run time.

> freebsd-version.sh.in seems fragile as presented.  It's missing
> loader.conf.local parsing, hardcodes the assumption that you use /boot
> (vs /efi), etc.

I wasn't aware of loader.conf.local.  I'll add support for it.

I don't know anything about efi.

As for hardcoding assumptions: like the man page says, this is a *best
effort* which is intended to work in the common case, i.e. either "make
buildworld buildkernel installworld installkernel" from a clean,
consistent tree or "freebsd-update fetch install".

> The usage string has a -i option that doesn't seem to exist.

Thanks, I'll fix that.

> Secteam does bump the osreldate for patch releases, right?

We bump newvers.sh.

> Woudn't that be sufficient for userland audit tools to reliably
> identify vulnerable userlands?

No.

I don't particularly enjoy answering the same questions over and over
again.  If you have any more questions, please read one of the previous
threads on this subject and / or the minutes from the security session
at the Malta summit.

DES
-- 
Dag-Erling Smørgrav - des at des.no