packaging issue: how to update?

[hdm at metasploit.com (H D Moore)]

Hi Peter, comments inline.

On Wednesday 30 January 2008, Peter Volkov wrote:
> Thus providing package with installs Framework with .svn files is not a
> viable solution for package manager in Gentoo (and I suppose in other
> distributions too). But what alternatives do we have? Is it possible to
> release Framework more frequently whenever required updates were added?

It should be possible to duplicate the same method used by the Windows 
installer:

The package installs any required dependencies, a launch wrapper, and a 
tarball of the stable release, which itself includes the .svn 
directories. The first time the user runs the framework (through any of 
the launch wrappers), a local copy of the framework is extracted from the 
tarball, in their home directory, and the launcher redirects execution to 
the extracted interface (console, gui, etc). To update the framework, the 
user just enters the directory containing their local copy, and runs svn 
update (or a wrapper script does the same). 

While this method does waste disk space (~100mb per user), it solves a 
number of problems, including licensing issues, package management, and 
permissions.

> Is it possible to separate and update exploit database separately for
> the program itself?

Exploits often depend on changes made to the code as well -- for example, 
if a new SMB-related flaw comes out, and the existing SMB library is 
unable to provide access to that feature, then the exploit module and the 
library update would be pushed to the branch tree together. At some point 
in the future we may freeze the exploit API, but theres no guarantee of a 
new module working with a non-updated tree at this time. The 3.1 brought 
us closer, but it may not be until 3.2 (~6 months) before we can provide 
a versioned API for exploit modules.

As a happy Gentoo user, I would like to see this resolved as well ;-)

-HD