Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: "gentoo-security@g.o" <gentoo-security@g.o>
From: Aleksey V Lazar <lazar@...>
Subject: Re: Security project meeting summary
Date: Mon, 28 Jul 2008 17:08:27 -0500
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hello, Robert:<br>
<br>
Robert Buchholz wrote:
<blockquote cite="mid:200807221242.43849.rbu@g.o" type="cite">
  <pre wrap="">On Monday 21 July 2008, Aleksey V Lazar wrote:
  </pre>
  <blockquote type="cite">
    <pre wrap="">Hello.  Would it be reasonable to suggest adding a ~security (or
something like it) flag to denote packages masked for security
reasons?
    </pre>
  </blockquote>
  <pre wrap=""><!---->
Hi Aleksey,

since entries package.mask only contain free text description as an 
additional information, such a feature would require the package 
manager to decide which entries are security maskings, and which are 
feature maskings. While that could be done using 
restrictions/conventions within the text, I am sure our package manager 
developers would disagree with such a design. A "package.security.mask" 
file might be more appropriate for that.
  </pre>
</blockquote>
Are you saying that security mask entries would go into the
package.security.mask and feature/other to package.mask?  I think this
would make sense.<br>
<blockquote cite="mid:200807221242.43849.rbu@g.o" type="cite">
  <pre wrap="">
My question now is, why would you want such a thing? Masked packages all 
have different reasons to be there, and you should decide to use one on 
a case-by-case basis.  
  </pre>
</blockquote>
I described in some more detail what I was thinking about in my
previous post to this list. <br>
<br>
To answer your question, I think a feature like this would be very
useful,
because it would remove barriers for identifying packages with security
issues.  For example, I don't update my gentoo system daily, but I
would update it as often as necessary to keep it secure.  Currently (to
the best of
my understanding) there is no easy way (e.g.: an <i>emerge</i> option)
to identify and update only the packages that have security fixes.  I
would have to do some digging to find out what packages and evaluate
each package separately.  So I think there would be value in separating
security masking from other types. To summarize, I think this would
accomplish the following:<br>
<br>
1. Easily identify packages masked for security reasons.<br>
2. Easily identified installed packages that have security issues/fixes
available.<br>
3. Option for <i>emerge</i> to only update packages with security fixes<br>
<br>
Thank you for consideration.<br>
Aleksey<br>
<blockquote cite="mid:200807221242.43849.rbu@g.o" type="cite">
  <pre wrap="">Regards,
Robert

  </pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">-- 
Aleksey V. Lazar
Website Development
Memorial Library 3010
Minnesota State University
Mankato, MN 56001
<a class="moz-txt-link-freetext" href="http://www.mnsu.edu/">http://www.mnsu.edu/</a>
Tel.: 1-507-389-2480</pre>
</body>
</html>
Replies:
Re: Security project meeting summary
-- Bill
References:
Security project meeting - Monday, 2008-07-14, 19:00 UTC
-- Matthias Geerdsen
Security project meeting summary
-- Matthias Geerdsen
Re: Security project meeting summary
-- Aleksey V Lazar
Re: Security project meeting summary
-- Robert Buchholz
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Security project meeting summary
Next by thread:
Re: Security project meeting summary
Previous by date:
Re: Security project meeting summary
Next by date:
Re: Security project meeting summary


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.