determining vulnerable FreeBSD system components [Was: cvs commit: ports/security/portaudit-db/database portaudit.txt portaudit.xlist portaudit.xml]

[Jacques A. Vidrine]

On Sun, Aug 22, 2004 at 10:40:50PM +0200, Oliver Eikemeier wrote:
> Yup. We should use __FreeBSD_version for -STABLE and -CURRENT, since
> this is easy determinable.

__FreeBSD_version is not and should not be bumped for security
updates.  It is strictly for source (and perhaps in some cases,
binary) code compatibility, and security updates do not (should not)
impact code compatibility.

> I now -CURRENT is not supported, but it would
> be useful nevertheless. I don't know how to handle release branches
> though. Especially when only the affected binary is patched, without
> rebooting the system (and possibly bumping __FreeBSD_version). Maybe we
> should invent some kind of global registry where the (security) patches
> applied are recorded.

Yeah, that has also come up before.  Perhaps we should pick it up
again.  Also, this kinda relates to Julian's desire to have the
advisories in the source tree, so that when you checked out say
RELENG_4_10, you would get all the advisories that affected 4.10
(and ONLY those advisories).  That could of course work for -STABLE
and -CURRENT as well, but IIRC there were some objections due to the
realities of how we manage the source tree.  For example, I would not
like to need to have N different advisories for N different branches
(i.e. branching the advisory in CVS), but re@ has reasons they do not
want to allow the sliding of tags within src/.

Cheers,
-- 
Jacques Vidrine / nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org