| 1 |
On Mon, 27 Nov 2006 13:02:17 +0000 |
| 2 |
"Stuart Herbert" <stuart.herbert@×××××.com> wrote: |
| 3 |
|
| 4 |
> On 11/27/06, paul <paul@×××××××××.org> wrote: |
| 5 |
> > You can't take workload out of the picture since it's the main issue |
| 6 |
> > here. Stable tree means backport fixes and I don't see this |
| 7 |
> > happening as it can't be automated: |
| 8 |
> |
| 9 |
> "Stable tree means backport fixes" is an assumption, not a |
| 10 |
> requirement. |
| 11 |
> |
| 12 |
> It's one reason why the word "stable" is a poor choice for any such |
| 13 |
> tree, just as it is a poor choice for the current Portage tree. |
| 14 |
> |
| 15 |
> I think the original poster hit the nail on the head. The real |
| 16 |
> barrier preventing a slower-moving tree is cultural. |
| 17 |
|
| 18 |
One method could be to snapshot all package versions at the time that |
| 19 |
Release Engineering make a release, building a package.mask file out of |
| 20 |
it masking out all packages of higher revisions (i.e. having '>CPVR' |
| 21 |
entry for every package in the tree in stable, and 'CPVR' if no |
| 22 |
versions are stable). |
| 23 |
|
| 24 |
Then, rather than back-port security fixes, this list would be updated |
| 25 |
with security-fixed version numbers, along with minimum required updates |
| 26 |
to dependent packages. The lists could be stored in the tree; for |
| 27 |
example as profiles/default-linux/x86/stable.mask. |
| 28 |
|
| 29 |
Obviously maintaining that list is some work; predominantly watching |
| 30 |
the announcements from the security team and fixing up dependencies, |
| 31 |
and masking out new packages (for what that's worth). It could be |
| 32 |
regenerated on some or all releases, or perhaps on a yearly basis. It |
| 33 |
would also mean that versions listed there cannot be removed from the |
| 34 |
tree (until they're bumped in the list). |
| 35 |
|
| 36 |
Some of that maintenance could be tool-assisted; in particular masking |
| 37 |
new packages and finding the minimum required bumps to support a |
| 38 |
package that was bumped for a security fix. |
| 39 |
|
| 40 |
People who want to use it could then just soft-link |
| 41 |
from /etc/portage/package.mask to that list. |
| 42 |
|
| 43 |
It's just a suggestion - I'm not prepared to do the work ;) However it |
| 44 |
might be a simple but effective method to help people maintain secure |
| 45 |
but relatively stable systems, without having to upgrade umpteen |
| 46 |
packages a week. |
| 47 |
|
| 48 |
-- |
| 49 |
Kevin F. Quinn |
Archives