1 |
On Mon, 27 Nov 2006 13:02:17 +0000 |
2 |
"Stuart Herbert" <stuart.herbert@×××××.com> wrote: |
3 |
|
4 |
> On 11/27/06, paul <paul@×××××××××.org> wrote: |
5 |
> > You can't take workload out of the picture since it's the main issue |
6 |
> > here. Stable tree means backport fixes and I don't see this |
7 |
> > happening as it can't be automated: |
8 |
> |
9 |
> "Stable tree means backport fixes" is an assumption, not a |
10 |
> requirement. |
11 |
> |
12 |
> It's one reason why the word "stable" is a poor choice for any such |
13 |
> tree, just as it is a poor choice for the current Portage tree. |
14 |
> |
15 |
> I think the original poster hit the nail on the head. The real |
16 |
> barrier preventing a slower-moving tree is cultural. |
17 |
|
18 |
One method could be to snapshot all package versions at the time that |
19 |
Release Engineering make a release, building a package.mask file out of |
20 |
it masking out all packages of higher revisions (i.e. having '>CPVR' |
21 |
entry for every package in the tree in stable, and 'CPVR' if no |
22 |
versions are stable). |
23 |
|
24 |
Then, rather than back-port security fixes, this list would be updated |
25 |
with security-fixed version numbers, along with minimum required updates |
26 |
to dependent packages. The lists could be stored in the tree; for |
27 |
example as profiles/default-linux/x86/stable.mask. |
28 |
|
29 |
Obviously maintaining that list is some work; predominantly watching |
30 |
the announcements from the security team and fixing up dependencies, |
31 |
and masking out new packages (for what that's worth). It could be |
32 |
regenerated on some or all releases, or perhaps on a yearly basis. It |
33 |
would also mean that versions listed there cannot be removed from the |
34 |
tree (until they're bumped in the list). |
35 |
|
36 |
Some of that maintenance could be tool-assisted; in particular masking |
37 |
new packages and finding the minimum required bumps to support a |
38 |
package that was bumped for a security fix. |
39 |
|
40 |
People who want to use it could then just soft-link |
41 |
from /etc/portage/package.mask to that list. |
42 |
|
43 |
It's just a suggestion - I'm not prepared to do the work ;) However it |
44 |
might be a simple but effective method to help people maintain secure |
45 |
but relatively stable systems, without having to upgrade umpteen |
46 |
packages a week. |
47 |
|
48 |
-- |
49 |
Kevin F. Quinn |