Date: Thu, 21 Feb 2008 09:37:54 +0100 (CET)
From: "Pierre-Yves Rofes" <py@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: code review CVS

On Thu, February 21, 2008 7:24 am, Vincent Danen wrote:
> * [2008-02-20 17:51:47 -0800] Kees Cook wrote:
>
>>> I like the patch idea, however.  A "vendor patch" database of sorts
>>> would be nice (would save me from hunting from, say, ubuntu packages
>>> for
>>> a patch for something they already fixed, or looking at ubuntu for one,
>>> and SUSE for another because of version differences).
>>
>>I'd really like to have at least a "how to find a patch for [distro],
>>release [version]".  I have an easier time finding Debian patches,
>>for example, since http://snapshot.debian.net/ exists.  Ubuntu is a
>>bit less patch-hunter-friendly in that regard, but we try to alway keep
>>patches external to from the source tree, so they're easy to locate from
>>change logs.  Doing this with src.rpms follows a similar convention,
>>but can sometimes get tricky too.  Finding them can sometimes be a chore
>>-- I always bang my head when looking for RHEL src.rpms.  :)

[...]

> And I'd *love* to see what the Gentoo folks will link to.. =)  They have
> to be the biggest head-scratcher for me.
>

It's true that we currently don't have a centralized place for patches,
maybe we should work something out. For now, I'd say that the best option
is to use:

http://sources.gentoo.org/viewcvs.py/gentoo-x86/<category>/<pkg>/
Then all patches should be in the "files" directory.

e.g. you want the last patch for an integer overflow in tcpdump, you'll
find it in:
http://sources.gentoo.org/viewcvs.py/gentoo-x86/net-analyzer/tcpdump/files/

But FYI, we generally use the patches from Debian :)

-- 
Pierre-Yves Rofes
Gentoo Linux Security Team

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux