Differences

This shows you the differences between two versions of the page.

--- distro-patches [2008/11/10 23:20]
dannf reference kernel-sec repo
+++ distro-patches [2019/07/12 14:45] (current)
sasha_levin Add Microsoft LSG entry
@@ Line 11: / Line 11: @@
+===== ALT Linux =====
+  * Package searching can be done via [[http://packages.altlinux.org/]]
+  * Source code for packages built from [[http://en.altlinux.org/Gear|GEAR]] repositories:
+    * [[http://git.altlinux.org/gears/|http://git.altlinux.org/gears/<P>/<PACKAGE>.git]]
+  * Source code for packages built from source RPMs (automatically converted by [[http://docs.altlinux.org/manpages/gear-srpmimport.1.html|gear-srpmimport]]):
+    * [[http://git.altlinux.org/srpms/|http://git.altlinux.org/srpms/<P>/<PACKAGE>.git]]
 ===== Debian =====
-  * Package searching can be done via [[http://packages.debian.org/]].  Additionally, each version of a package is stored in the Debian [[http://snapshot.debian.net/|Source Snapshots]].
+  * Package searching can be done via [[http://packages.debian.org/]].  Additionally, each version of a package is stored in the  [[http://snapshot.debian.org/|Debian wayback machine]].  It may take some time until security updates are available in either place—they can be downloaded directly from [[http://security.debian.org/debian-security/pool/updates/main/]].
   * Workflow to extract differences:
     * Download and unpack desired version, read "debian/changelog" for previous version number
@@ Line 21: / Line 29: @@
       * use "debdiff" between the two ".dsc" files to extract the delta between packages
       * gunzip the two "diff.gz" files, and use "interdiff" to extract the delta between packages
-  * Auto-extracted patches: [[http://patch-tracking.debian.net/]].
+  * Auto-extracted patches: [[http://patch-tracker.debian.org/]].
-  * kernel issues are tracked in an [[http://svn.debian.org/wsvn/kernel-sec|svn repository]] with references to fixes in both debian and upstream releases
+  * kernel issues are tracked in an [[http://anonscm.debian.org/viewvc/kernel-sec/|svn repository]] with references to fixes in both debian and upstream releases
+  * List of packages embedding code from other projects is [[http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file|maintained in the secure-testing SVN repository]] and is [[http://wiki.debian.org/EmbeddedCodeCopies|linked to from the Debian Wiki]]
+  * Security tracker: [[http://security-tracker.debian.org/tracker/|http://security-tracker.debian.org/tracker/<CVE-id>]]
+===== Exherbo =====
+  * Most patches for a given package can be found at http://git.exherbo.org/. Choose the repository, switch to the "tree" view and under packages/<category>/<package name>/files, you'll find any patches we apply.
+  * Some packages require lots of patches, in which case patchsets in the form of tarballs are provided. These are usually referenced inside the respective exheres in DOWNLOADS.
 ===== Fedora =====
-  * ViewCVS:
+  * cgit for dist-git repository containing .spec files and patches for all Fedora packages:
-    * [[http://cvs.fedoraproject.org/viewcvs/rpms/|http://cvs.fedoraproject.org/viewcvs/rpms/<PACKAGE>]]
+    * [[http://pkgs.fedoraproject.org/cgit/|http://pkgs.fedoraproject.org/cgit/?p=<PACKAGE>.git]]
+  * Koji build system with all binary and source RPMs:
+    * [[http://koji.fedoraproject.org/koji/search|http://koji.fedoraproject.org/koji/search?match=glob&type=package&terms=<PACKAGE>]]
+  * Bodhi update system - all updates for given package in all current stable Fedora versions:
+    * [[https://admin.fedoraproject.org/updates/|https://admin.fedoraproject.org/updates/<PACKAGE>]]
+===== Frugalware =====
+  * gitweb for frugalware-current repository containing build scripts and patches for all Frugalware packages:
+    * [[http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=tree;f=source|http://git.frugalware.org/gitweb/gitweb.cgi?p=frugalware-current.git;a=tree;f=source/<CATEGORY>/<PACKAGE>]]
 ===== Gentoo =====
-  * Most patches for a given package can be found at [[http://sources.gentoo.org/gentoo-x86/|http://sources.gentoo.org/<CATEGORY>/<PACKAGE>/files/]]
+  * Most patches for a given package can be found in git: [[https://gitweb.gentoo.org/repo/gentoo.git/tree/|https://gitweb.gentoo.org/repo/gentoo.git/tree/<CATEGORY>/<PACKAGE>/files/]]
+  * Find exact category/package via [[https://packages.gentoo.org/]] which also has direct links to gitweb.
   * Some packages require lots of patches, in which case patchsets in the form of tarballs are provided. These are usually created using patches at
-    * [[http://sources.gentoo.org/gentoo/src/patchsets/|http://sources.gentoo.org/gentoo/src/patchsets/<PACKAGE>/<VERSION>/]]
+    * [[https://sources.gentoo.org/gentoo/src/patchsets/|https://sources.gentoo.org/gentoo/src/patchsets/<PACKAGE>/<VERSION>/]]
-    * [[http://overlays.gentoo.org/|http://overlays.gentoo.org/<PROJECT>]]
+    * A project repository on [[https://gitweb.gentoo.org/]]
 ===== Mandriva =====
@@ Line 40: / Line 63: @@
   * Workflow:
     * rpm2cpio fn.rpm | cpio --make-directories --extract
+===== Microsoft Linux Systems Group =====
+  * WSL2 github repository: [[https://github.com/microsoft/WSL2-Linux-Kernel]]
+  * Azure Sphere, as well as any other sources are available at: [[https://3rdpartysource.microsoft.com/]]
+===== MontaVista LLC =====
+  * Access to product updates and fixes. (requires MontaVista account with a maintenance contract in place):[[https://support.mvista.com/]]
+    * Pro 4.x, CGE 4.x, Mobilinux 4.1, Pro 5.0.24, CGE 5.1 and etc ( None MVL6 and cge 6 ).
+      * Download updates using a web-browser or command line tool.
+    * MVL6 and CGE 6
+      * Use the Montavista command-line tool
 ===== OpenBSD =====
-  * Source code repository: [[http://www.openbsd.org/cgi-bin/cvsweb]]
+  * Source code repository: [[http://www.openbsd.org/cgi-bin/cvsweb/]]
+  * Unofficial git mirror: [[http://anoncvs.estpak.ee/cgi-bin/cgit/]]
   * Main source tree: 3rd party packages included in the main source tree have vendor branches allowing to extract local patches.
-  * Ports tree: patches are stored in patches sub-directory of each port.
+  * Ports tree: patches are stored in patches sub-directory of each port. The majority of ports tree security fixes are applied to the -stable branch for the last release e.g. [[http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-ports/log/?h=OPENBSD_5_0|OPENBSD_5_0]].
 =====OpenSUSE and SUSE Linux=====
   * Every advisory includes a list of new source-rpm (suffix: ''.src.rpm'') files for example:
     * http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/postgresql-8.2.6-0.1.src.rpm
-  * Sources by SUSE distribution:
-    * Factory (current development): http://download.opensuse.org/distribution/SL-OSS-factory/inst-source/suse/src/
+  * Sources for openSUSE distribution:
-    * openSUSE 10.3 updates: http://download.opensuse.org/pub/opensuse/update/10.3/rpm/src/
+    * Releases: http://download.opensuse.org/pub/opensuse/source/distribution/
-    * openSUSE 10.2 updates: ftp://ftp.suse.com/pub/suse/update/10.2/rpm/src/
+    * Updates: [[http://download.opensuse.org/pub/opensuse/update/|http://download.opensuse.org/pub/opensuse/update/<VERSION>/rpm/src/]]
-    * SUSE Linux 10.1 updates: ftp://ftp.suse.com/pub/suse/update/10.1/rpm/src/
+    * Factory (current development): http://download.opensuse.org/pub/opensuse/factory/repo/src-oss/suse/
   * Sources for SUSE Linux Enterprise distributions (requires Novell account with a maintenance contract in place):
     * SLES 9 updates: https://you.novell.com/update/i386/update/SUSE-CORE/9/sources/
     * SLES 10 updates: (trying to find a good way -MarcusMeissner)
+  * CVE-to-Update mapping:
+    * [[http://support.novell.com/security/cve/|http://support.novell.com/security/cve/<CVE-id>.html]]
   * Download this file using a web-browser or command-line tools like ''wget'' or ''curl''.
   * The patches are part of the  source-rpm file and can be extracted by one of the following ways:
     * rpm2cpio postgresql-8.2.6-0.1.src.rpm | cpio --make-directories --extract
@@ Line 83: / Line 124: @@
     * Go to Devel repository for the latest update (Go to Pardus 2007 repository for updates to older versions or backports of the fix)
     * Browse to the package name and click
-    * You can see all applied patches and release history at the end of the page.
+    * You can see all applied patches and release history at the end of the page. =====
+===== pkgsrc (NetBSD Packages Collection for multiple OS's incl. *Bsd, Linux, Solaris, OSX, etc.) =====
+  * Package information including links to package sources can be found here: [[ftp://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/README.html]]
+  * Patches maintained against the upstream distributions are located in the patches subdirectory of each package
+  * CVS history of all packages can be browsed at [[http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/]]
 ===== Red Hat =====
-  * Source RPMs for released updates are available on Red Hat FTP server: [[ftp://ftp.redhat.com/pub/redhat/linux/]]
+  * Source RPMs of released updates are available via Red Hat FTP server or CentOS Git server:
-    * GA versions and updates for RHEL5: [[ftp://ftp.redhat.com/pub/redhat/linux/enterprise/]]
+    * Red Hat Enterprise Linux 7: [[https://git.centos.org/project/rpms|https://git.centos.org/summary/?r=rpms/<PACKAGE>/]]
-    * Updates for RHEL2.1 - RHEL4: [[ftp://ftp.redhat.com/pub/redhat/linux/updates/enterprise/]]
+    * Red Hat Enterprise Linux 5 and 6: [[ftp://ftp.redhat.com/pub/redhat/linux/enterprise/]]
-  * Direct links to SRPMs can be found in advisories sent to the following mailing lists:
+    * Red Hat Enterprise Linux 2.1, 3 and 4:
-    * [[http://www.redhat.com/archives/rhsa-announce/]] (all products, only as of November 2007)
+      * releases: [[ftp://ftp.redhat.com/pub/redhat/linux/enterprise/]]
-    * [[http://www.redhat.com/archives/enterprise-watch-list/]] (current and past advisories)
+      * updates: [[ftp://ftp.redhat.com/pub/redhat/linux/updates/enterprise/]]
+  * Advisories including full version numbers of fixed packages are mailed to the following mailing list:
+    * [[https://www.redhat.com/archives/rhsa-announce/]]
+  * CVE-to-Errata mapping pages:
+    * [[https://access.redhat.com/security/cve/|https://access.redhat.com/security/cve/<CVE-id>]]
+  * Bugs in Red Hat Bugzilla have CVE id set as an alias so it can be used for direct access:
+    * [[https://bugzilla.redhat.com/buglist.cgi?product=Security+Response|https://bugzilla.redhat.com/show_bug.cgi?id=<CVE-id>]]
   * Workflow:
     * rpm2cpio fn.rpm | cpio --make-directories --extract --preserve-modification-time
@@ Line 103: / Line 155: @@
   * Click "show files"
   * Click on a particular file to view its contents. Note that not all patches contained in the source are necessarily applied. To see which are applied, and under what conditions, look at the relevant addPatch() line in the recipe.
@@ Line 110: / Line 164: @@
     * Package histories can be found via Launchpad: [[https://launchpad.net/distros/ubuntu/+source/PKGNAME]].  Following a specific version link will show URLs for the "orig.tar.gz/diff.gz/dsc" files.
     * Extracted patches of packages: [[http://patches.ubuntu.com]].
+  * Ubuntu Security Team CVE Tracker: [[http://people.canonical.com/~ubuntu-security/cve/|http://people.canonical.com/~ubuntu-security/cve/?cve=<CVE-id>]] (Primary source)
+  * Ubuntu/Launchpad CVE tracker: [[https://bugs.launchpad.net/bugs/cve/|https://bugs.launchpad.net/bugs/cve/<CVE-id>]] (Secondary source, does not contain all information Ubuntu Security Team uses to track issues)
   * Workflow for extraction is the same as "[[#Debian]]" above.
+===== Wind River =====
+  * Access to product updates and fixes from Wind River Support portal. (requires Wind River account with a maintenance contract in place)
+      * [[https://support.windriver.com/olsPortal/faces/basic/portal.jspx]]