Gentoo Logo

About | Projects | Docs | Forums | Lists | Bugs | Get Gentoo! | Support | Planet | Wiki

Gentoo Spaceship
Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: Calum <gentoo-security@...>
From: Mark Guertin <guertin@...>
Subject: Re: Idea for easily checking for security updates.
Date: Mon, 9 Feb 2004 11:06:13 -0500 
On 9-Feb-04, at 7:11 AM, Calum wrote:

> What I think would be a good idea is the creation and maintenance of 
> say 4 new
> virtual packages:
> remote-root
> remote-shell
> local-root
> remote-dos
> (Maybe there could be more, but these are the ones that I can think 
> of).

Couple of comments.

This doesn't make sense to me personally, emerge remote-root sounds 
more like something you would do to obtain remote root of a machine 
than to repair a potential one (just terminology stuff there is my 
complaint).  In theory the idea seems valid, in practice I'm not sure 
this would be the best approach.

What I would rather see in portage is a way to rank updates (10 for 
trivial, 5 for major version upgrades with more features, etc, and 1 
for security needs).  Then something like emerge -up -L1 world might 
only show any major security updates you need to do along with the 
required deps (but hopefully not optional ones).  This should be fairly 
achievable with minor changes to the low levels (to add metadata for 
the update's urgency), and maybe 10-15 lines in the portage code base.

Second comment.. the 'virtuals' you compare the 'remote-root' pkg vs. 
system pkg with work radically differently than what might be the 
initial assumption.  In fact world and system are both very different 
than the typical metapkgs (like kde, gnome, etc).  They are both hard 
coded into the setup so to speak.  System being defined in the profile 
(pkgs marked with * in packages file are system files), and world is 
maintained similarly (yet differently) in your portage db directory in 
a flat file (it keeps running tabs on what's installed, etc).

I for one would much rather see a severity level of some sort happen in 
portage, for those of us that are afraid to emerge -u world to fix 
these sorts of vulnerabilities (as you never know what you are getting 
into with that if you run a very locked down server), which would also 
give us a very quick way of assessing what if any updates are needed 
for security reasons without having to do a lot of digging my hand or 
comparing versions vs. all kinds of GLSA announcements, etc.

On that note it would be even better if at the end of emerge sync it 
could give you a message telling you that there are some level 1 
security updates available and how to view the list of them, similarly 
to how it tells you that there are portage updates available.

Mark


--
gentoo-security@g.o mailing list
Replies:
Re: Idea for easily checking for security updates.
-- Ixion
References:
Idea for easily checking for security updates.
-- Calum
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Idea for easily checking for security updates.
Next by thread:
Re: Idea for easily checking for security updates.
Previous by date:
Re: Idea for easily checking for security updates.
Next by date:
Re: Idea for easily checking for security updates.


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.