On Tue, 16 May 2006 09:42:14 -0700 Kevan Benson <kbenson@a-1networks.com> wrote:

: For a good example of what it takes to do a quality patching system, look at
: Redhat. Look at all the aspects of their system (from up2date or yum) to
: their package manager (rpm with GPG signed packages for integrity) to their
: patching policy (back-patching security problems for the lifetime of the
: distribution release, 7 years).
:
: IMHO, that's what it takes for a real secure enterprise level patching system,
: and I doubt the openbsd developers would want to develop anything less
: secure, and I doubt they have the resources to implement something equivalent
: to this anytime soon. Mainly because of the back-patching. The rest is easy
: to implement or build, but the back-patching is very resource intensive.

Hmm... IMHO back-patching isn't that hard to implement but maybe memory intensive.
One has to keep every original file that will be changed by a patch in some dir.
for example, you apply a 2nd patch to httpd: to do so, the patching system could
create a directory /var/patches(?)/httpd/2/ that will contain all files that will
be replaced by new ones by the 2nd patch. If you want to uninstall the 2nd patch,
you call the patching tool and this will install all patches back up to number 2
from /var/patches/httpd/<n>.
This should not be such a big problem.

the gpg signed patches.. hmm... gpg is not part of the official system. one could
work with md5 etc. to use a checksum for that job.

But it would still need some kind of a secure server hosting the patches, money to
run it, binary patches, people who will create binary patches, ...

-steffen