DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th November 2017
lea0342 lea0342 is offline
Port Guard
 
Join Date: Sep 2017
Posts: 20
Default Question about security fixes of ports compared to debian packages

Hi! i have a doubt lately because i noticed that the mailing list i am subscribed about debian security, has a lot of packages with security fixes for all debian branches, also if i made an "apt update && apt upgrade" in debian stable i can see those same packages updated, with the security fixes i previously get the email from the mailing list.

The thing is, that in the mailing lists i am subscribed for openbsd, (ports, ports-changed, etc) i don't see any security fix for the -stable nor for the -current branches (i know the stable branch only get security fixes via source code from cvs) but it didn't get the same security patches as debian have... for example this for firefox: https://www.debian.org/security/2017/dsa-4035 and in the openbsd ports page http://openports.se/www/firefox-esr it shows the same version, but i think is for -current branch only, if im running -stable, i need to get the update from source code cvs or via mtier, but also mtier didn't show any security fix for firefox https://stable.mtier.org/updates?release=62 so im like confused and wanted to understand better, the difference in security patches for openbsd compared for example, with debian, it's because the project has less manpower to have the same security fixes in stable, maybe it's because the security fixes aren't needed in first place due to being not harmfull for a default openbsd install, or why are these differences?

Thank you so much!
Reply With Quote
  #2   (View Single Post)  
Old 29th November 2017
lea0342 lea0342 is offline
Port Guard
 
Join Date: Sep 2017
Posts: 20
Default

Wow so funny, as i send the post, an email from the mtier subscription shows a lot of new stable packages were added to mtier security fixes, some were in the debian mailing list a couple of days before, others aren't there like the firefox one i mentioned on the first post.

I think maybe it's a manpower thing that openbsd has the security fixes in stable a couple of days behind debian for example... but also i wish to get notified from the changes in cvs for example so i can compile my own packages when the fix is available on the ports tree
Reply With Quote
  #3   (View Single Post)  
Old 29th November 2017
GarryR's Avatar
GarryR GarryR is offline
Real Name: Garry Ricketson
Spam Deminer
 
Join Date: Jul 2015
Location: Durango, Mx.
Posts: 254
Default

Quote:
maybe it's because the security fixes aren't needed in first place due to being not harmfull for a default openbsd install, or why are these differences?
The differences are because it is 2 entirely different operating systems, comparing the 2 and expecting them to be the same is not logical at all.
OpenBsd is considerably more secure, thus less need for constant updates and patches, this is one reason, of many I stopped using Debian, ... but that would be another topic.
__________________
My best friends are parrots
Reply With Quote
  #4   (View Single Post)  
Old 29th November 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,241
Default

In most cases, -stable updates to OpenBSD ports are proposed and submitted by the port's maintainer, or, if there is no maintainer of record, then by anyone willing to develop them.

If you note an application of interest to you has had CVEs that have been resolved but there has not been an updated port posted to the ports@ mailing list, you are welcome to contact the maintainer. [1] The maintainer may not be aware of the update. If there is no maintainer, you are welcome to develop the appropriate port update and submit a patch set to the mailing list for consideration.

Generally, updates to an application will not qualify for -stable backporting, unless the update addresses one or more CVEs. [2]

---

[1] One of my ports, devel/codeblocks, was broken at 6.2-release due to the mass transition from the gcc to clang compiler. I had proposed a circumvention reverting to the gcc compiler, which was rejected. Another OpenBSD user pointed me to a fix from FreeBSD which I was completely unaware of. I applied the fix from FreeBSD to the OpenBSD port, and posted the patch sets for -current and -stable. The -current patch was committed.

[2] The -stable patch was not committed, so M:Tier will not build it. Any -release/-stable users would have to pull my patch from the ports@ archives and build locally to obtain a working codeblocks application.

Last edited by jggimi; 29th November 2017 at 09:34 PM. Reason: clarity
Reply With Quote
  #5   (View Single Post)  
Old 29th November 2017
cynwulf's Avatar
cynwulf cynwulf is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 229
Default

Quote:
Originally Posted by jggimi View Post
If you note an application of interest to you has had CVEs that have been resolved but there has not been an updated port posted to the ports@ mailing list, you are welcome to contact the maintainer. [1] The maintainer may not be aware of the update. If there is no maintainer, you are welcome to develop the appropriate port update and submit a patch set to the mailing list for consideration.
This is not how it works "Linux side". Debian and other Linux distributions do not differentiate between a "base system" and 3rd party software, so users expect a ready to go system complete with binary packages with latest security patches as standard. Many 'ex Linux people' just expect that OpenBSD will be much the same. As Linux is so poorly documented, just reading documentation before making assumptions or posting questions on web forums can be an alien concept (this is not knocking the OP, just an observation).
Reply With Quote
  #6   (View Single Post)  
Old 30th November 2017
lea0342 lea0342 is offline
Port Guard
 
Join Date: Sep 2017
Posts: 20
Default

Thank you everyone!, my only interest is to learn how the system i falled in love works, nothing more than that, for that, i readed the faq and the Absolute OpenBSD ebook with passion, but a couple of doubts still appear from time to time, things that are obvious to some but interesting to people who, come from other operating systems. So i in no way are comparing the two implying that OpenBSD should behave the same, or that i expected it to behave like linux in any way. That different working and simplicity is part of what make me falled in love with OpenBSD also.

So as i understand, it will be best to compare the ports and base security fixes, not against the debian packages that i receive daily, but with the original cve feed instead, https://nvd.nist.gov/download/nvd-rss-analyzed.xml maybe. and as explained before, notifying the port maintainer or trying to patching and pass to the ports mailing list.

So there's no way i could get only the list of security fixes to the ports and base system without chequing the mtier release builds? i mean a list or rss, or somewhere i could check only the security fixes applyed to the ports source tree for the -stable branch instead of the -current one? maybe not a list, rss or page, but any other method will be good, maybe the updated code of the ports cvs (pointing to the -stable ports branch) in my local machine could tell me of those security fixes so i could compile those ports on my system?
Reply With Quote
  #7   (View Single Post)  
Old 30th November 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 6,241
Default

The OpenBSD ports tree is maintained via CVS. Options:
  • Maintain your own local copy of the -stable ports tree. $ cvs -q up -Pd will update the tree and report any changes. You can do this manually, or add it to your /etc/daily.local script. See the cvs(1) and daily(8) man pages, and the AnonCVS link at the Project website.
  • The ports-changes@ mailing list will post Changelog entries as they are committed. Any commits to 6.2-stable ports will be tagged OPENBSD_6_2.
  • The CVS Changelog file is posted to most mirrors daily[1]. However this is all commits to all repositories. Any commits to 6.2-stable are tagged OPENBSD_6_2.
---
[1]The Changelog update is currently broken at this time, it stopped on 16-Nov-2017. I only know this because the problem was reported to the bugs@ mailing list.
Reply With Quote
  #8   (View Single Post)  
Old 30th November 2017
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Mostly Harmless
 
Join Date: Dec 2015
Location: London
Posts: 91
Default

I find that OpenBSD-current behaves in a very similar fashion to Debian unstable (at least in respect of third-party security coverage) — both systems draw their security fixes directly from upstream so they just need to be updated regularly to stay "safe".
__________________
Linux is for people who hate Windows. BSD is for people who love UNIX.
Reply With Quote
Reply

Tags
ports, security, stable

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
packages security fixes Martillo OpenBSD Packages and Ports 11 9th July 2015 04:29 PM
packages or ports? carusone OpenBSD Packages and Ports 4 1st December 2014 11:22 PM
Question about removing ports/packages Daffy OpenBSD Packages and Ports 2 16th October 2010 09:06 AM
packages vs ports zelut FreeBSD Ports and Packages 17 28th October 2009 08:19 AM
Packages vs. Ports guitarscn OpenBSD Packages and Ports 3 1st October 2008 04:43 AM


All times are GMT. The time now is 05:42 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick