[owl-users] maintenance of Owl systems - security updates, etc.

From: Solar Designer (solar@private)
Date: Tue Apr 04 2006 - 14:47:36 PDT


Hi,

On Tue, Apr 04, 2006 at 01:19:48PM -0500, Denzel Turner wrote:
>    Newbie here: Where do I go to find Security Patches and other general
> info on Owl 2.0? Owl 2.0 installed ok on an older CPU but I need to know
> what to do with this bad boy now that I have it working!!!

I hope I understood your question correctly.  You're used to seeing
other Linux distributions send out security advisories with links to
update packages, etc.

For Owl, we currently do not publish formal security advisories.
Instead, we maintain system-wide changelogs where security fixes are
marked specially.  If you're running Owl 2.0 and need to determine
whether to update, you can have a look at the changes applied to
2.0-stable since your last update (there won't be many):

	http://www.openwall.com/Owl/CHANGES-2.0-stable.shtml

If you'd like to stay at the cutting edge, you can similarly review the
changelog for Owl-current:

	http://www.openwall.com/Owl/CHANGES-current.shtml

Please note that unlike -stable changelogs which are exhaustive lists of
changes, the -current one lists only significant changes.

Whenever a serious security issue is fixed, we will post a heads up in
here.  Most likely, this will be another Linux kernel bug (yet to be
discovered) since our userland is rather good (as evidenced by the
two-year experience with Owl 1.1).

We might setup a formal notification mechanism for the availability of
security fixes eventually.

Once you've determined that you'd like to update a system, there are two
primary ways to do so:

1. Download the updated binary packages from the proper branch of Owl
(for updating 2.0-release, that would be either 2.0-stable or current).
Then "make installworld" them over your existing system.

2. Obtain the updates in source code form.  You will need the updated
CVS tree which may be obtained by a CVS checkout from our anoncvs
server or by downloading the native.tar.gz file from our FTP mirrors.
You might also need the updated "sources" tree - with tarballs, etc. of
third-party software that we base our packages upon - this one may be
obtained from the FTP mirrors only.  Then "make buildworld" and "make
installworld".  This may be tricky, especially for -current where
certain changes we apply are so invasive that they require multiple
iterations of buildworld and installworld until everything builds again.
(It is unlikely that any change in 2.0-stable would be this invasive.)

To download updated binary packages or replaced third-party source
tarballs, it is convenient to use lftp (included in Owl) and its
"mirror -e" command.  That way, you won't be downloading files which you
already have.

Perhaps we need a User's Guide which would describe this procedure in
detail.  Unfortunately, we don't have one currently.  So please ask any
further questions on this mailing list.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar



This archive was generated by hypermail 2.1.3 : Tue Apr 04 2006 - 14:48:18 PDT