oss-sec mailing list archives

Re: code review CVS

From: Vincent Danen <vdanen () linsec ca>
Date: Thu, 21 Feb 2008 11:43:17 -0700

* [2008-02-21 08:49:52 +0000] Mark J Cox wrote:

hahah... as Mark can attest, you're not the only one.  I've had to email
him a few times looking for some obscure src.rpm.
We give the full path in our emailed advisories (except for the cases wherewe are shipping something not open source like java/acroread) but the pathsare not in the web based versions. Sohttp://www.redhat.com/archives/rhsa-announce/ since Nov 2007, or for olderstuff http://www.redhat.com/archives/enterprise-watch-list/
Once you get a rpm then unpacking it without installing it is easy:
rpm2cpio fn.rpm | cpio --make-directories --extract
And we nearly always ship the pristine upstream tarball along with eachpatch separately (exception being things like OpenSSL).
This is definately material for a 'how to find out how the vendor fixedthis' page.


Looks like Kees beat me to it:

http://oss-security.openwall.org/wiki/distro-patches

I've added Red Hat to this list based on the above info.

--
Vincent Danen @ http://linsec.ca/

Attachment: _bin
Description:

Current thread:

Re: code review CVS, (continued)
- Re: code review CVS Vincent Danen (Feb 18)
  - Re: code review CVS Sebastian Krahmer (Feb 18)
    - Re: code review CVS Vincent Danen (Feb 20)
    - Re: code review CVS Kees Cook (Feb 20)
    - Re: code review CVS Vincent Danen (Feb 20)
    - Re: code review CVS Pierre-Yves Rofes (Feb 21)
    - Re: code review CVS Mark J Cox (Feb 21)
    - Re: code review CVS Kees Cook (Feb 21)
    - Re: code review CVS Tomas Hoger (Feb 22)
    - Re: code review CVS Kees Cook (Feb 22)
    - Re: code review CVS Vincent Danen (Feb 21)
    - Re: extracting patches from SRPMs (Was: code review CVS) (GalaxyMaster) (Feb 21)
- Re: code review CVS Solar Designer (Feb 24)
  - Re: code review CVS Vincent Danen (Feb 24)