1 |
they could pull the more current ebuilds and put them in an overlay. |
2 |
also correct me if I'm wrong isn't it possible only to sync certain |
3 |
parts of the tree using excludes. maybe some additional functionality |
4 |
saying only sync package X for updates. |
5 |
|
6 |
On 11/28/06, James Potts <arek75@×××××.com> wrote: |
7 |
> On 11/28/06, Chris Gianelloni <wolf31o2@g.o> wrote: |
8 |
> > On Mon, 2006-11-27 at 16:18 +0100, Kevin F. Quinn wrote: |
9 |
> > > One method could be to snapshot all package versions at the time that |
10 |
> > > Release Engineering make a release, building a package.mask file out of |
11 |
> > > it masking out all packages of higher revisions (i.e. having '>CPVR' |
12 |
> > > entry for every package in the tree in stable, and 'CPVR' if no |
13 |
> > > versions are stable). |
14 |
> > |
15 |
> > It would be infinitely easier to create a tree just for this. |
16 |
> > |
17 |
> > > Then, rather than back-port security fixes, this list would be updated |
18 |
> > > with security-fixed version numbers, along with minimum required updates |
19 |
> > > to dependent packages. The lists could be stored in the tree; for |
20 |
> > > example as profiles/default-linux/x86/stable.mask. |
21 |
> > |
22 |
> > This is essentially the idea that my release tree uses, except the tree |
23 |
> > itself is completely stripped down to stable packages. I have a script |
24 |
> > which already does several things: |
25 |
> > |
26 |
> > #1. grabs "best_visible" for stable on each arch |
27 |
> > #2. repeat for each SLOT |
28 |
> > #3. purge unnecessary files from FILESDIR |
29 |
> > #4. strip to only "stable" profiles from profiles.desc |
30 |
> > #5. purge unnecessary USE from use.local.desc and use.desc |
31 |
> > #6. strip unused eclasses |
32 |
> > #7. regenerate Manifest (via ebuild $foo digest) |
33 |
> > |
34 |
> > I had also planned on it doing the following, but they haven't been |
35 |
> > implemented just yet: |
36 |
> > |
37 |
> > - strip all USE flags that aren't used from use.mask (per-profile) |
38 |
> > - strip all packages that aren't available from package.mask |
39 |
> > (per-profile) |
40 |
> > |
41 |
> > What this gives us is a *much* smaller tree, as it only includes stable |
42 |
> > packages/versions. |
43 |
> > |
44 |
> > > Obviously maintaining that list is some work; predominantly watching |
45 |
> > > the announcements from the security team and fixing up dependencies, |
46 |
> > > and masking out new packages (for what that's worth). It could be |
47 |
> > > regenerated on some or all releases, or perhaps on a yearly basis. It |
48 |
> > > would also mean that versions listed there cannot be removed from the |
49 |
> > > tree (until they're bumped in the list). |
50 |
> > |
51 |
> > Well, the simpler approach was to simply copy over the newer, secure |
52 |
> > ebuilds, and any required dependencies, into the release tree. There'd |
53 |
> > be no need to update mask files and such this way. It would also be |
54 |
> > generated with the releases, automatically. |
55 |
> > |
56 |
> > > Some of that maintenance could be tool-assisted; in particular masking |
57 |
> > > new packages and finding the minimum required bumps to support a |
58 |
> > > package that was bumped for a security fix. |
59 |
> > > |
60 |
> > > People who want to use it could then just soft-link |
61 |
> > > from /etc/portage/package.mask to that list. |
62 |
> > > |
63 |
> > > It's just a suggestion - I'm not prepared to do the work ;) However it |
64 |
> > > might be a simple but effective method to help people maintain secure |
65 |
> > > but relatively stable systems, without having to upgrade umpteen |
66 |
> > > packages a week. |
67 |
> > |
68 |
> > Well, I am willing, and have been doing, some of the work. The one |
69 |
> > disadvantage to my design is it needs infra. It needs it's own |
70 |
> > repository and rsync. |
71 |
> > |
72 |
> > Basically, it makes the system act a bit more like some other |
73 |
> > development models. We end up with the following: |
74 |
> > |
75 |
> > rsync://rsync.gentoo.org/gentoo-portage (this is equivalent to -current) |
76 |
> > rsync://rsync.gentoo.org/2007.0-release (this is the release tree) |
77 |
> > |
78 |
> > Now, the release trees are non-moving. The 2007.0-release tree is |
79 |
> > *always* the 2007.0-release tree for as long as we decide to support it. |
80 |
> > Likely, this support period would begin as a single release and get |
81 |
> > extended as volunteers came around to support it. New releases get |
82 |
> > their own tree. |
83 |
> > |
84 |
> > I also started writing a tool to "upgrade" the distribution. The tool |
85 |
> > reads pre and post scripts for the upgrade, and performs the necessary |
86 |
> > steps. Basically, a user can "dist-upgrade 2007.1" and the system |
87 |
> > would: |
88 |
> > |
89 |
> > - switch to the "2007.1" tree and "emerge --sync" |
90 |
> > - perform all "pre" steps from 2007.1 |
91 |
> > - update world + revdep-rebuild + whatever else is necessary |
92 |
> > - perform all "post" steps |
93 |
> > |
94 |
> > With this, there would be a special "version" called "current" which |
95 |
> > would put the user on the "gentoo-portage" tree, AKA the tree we all |
96 |
> > know and love/loathe. Release trees wouldn't have "arch" and "~arch" as |
97 |
> > everything would be stable there. Testing would be done in the main |
98 |
> > tree. This, in essence, gives us "testing", "release candidate" and |
99 |
> > "stable" environments, with the release trees being stable, and the |
100 |
> > current tree becoming test/release candidate. Anything marked stable in |
101 |
> > the current tree would be a candidate for stable in the next release |
102 |
> > tree. |
103 |
> > |
104 |
> > Users who want to use the current portage tree get what they want. |
105 |
> > Users who want a more stable tree get what they want. Basically, |
106 |
> > everyone (hopefully) is happy, or at least as happy as we can feasibly |
107 |
> > make them. |
108 |
> > |
109 |
> |
110 |
> This looks good on the surface, Chris, but what happens in the case |
111 |
> where somebody wants to use the Release tree, but also wants (or |
112 |
> needs) one or more packages from the Live tree, and doesn't want to |
113 |
> switch completely over to the live tree? If I understand what you |
114 |
> want to do correctly, the Release tree would include only stable |
115 |
> packages. Other packages wouldn't just be masked, they would be |
116 |
> completely unavailable to anybody using that tree. |
117 |
> |
118 |
> I like the idea of having a stable p.mask much better, which says |
119 |
> "profile" to me. Any thoughts on a special profile just for releases? |
120 |
> |
121 |
> --Arek (James Potts) |
122 |
> arek75@×××××.com |
123 |
> -- |
124 |
> gentoo-dev@g.o mailing list |
125 |
> |
126 |
> |
127 |
-- |
128 |
gentoo-dev@g.o mailing list |