1 |
On Sat, 7 Sep 2002 04:57, Tom Prado wrote: |
2 |
> On Fri, 6 Sep 2002, Chris Sykes wrote: |
3 |
> > On Wed, Sep 04, 2002 at 11:05:40PM +0300, Moilanen Mikko Antero wrote: |
4 |
> > > Hi |
5 |
> > > |
6 |
> > > Would it be good idea to make additional cammand "emerge security" to |
7 |
> > > check and upgrade any security things like now "emerge system" upgrades |
8 |
> > > some standard system things? |
9 |
> > > |
10 |
> > > This would definetly be good for people who maintain servers or for |
11 |
> > > people who maintain workstations or this would just be *good* for |
12 |
> > > people. |
13 |
> > |
14 |
> > I agree that this would be useful functionality. I think that the best |
15 |
> > way to implement something like this is _not_ to label security fix |
16 |
> > ebuilds as such, but to flag the ebuilds that are vunerable. |
17 |
> > |
18 |
> > e.g. (off the top of my head) |
19 |
> > |
20 |
> > For each package create a file that lists the ebuild versions that were |
21 |
> > found to have security issues e.g. |
22 |
> > /usr/portage/catagory/package/security |
23 |
> > |
24 |
> > Using a method like this an 'emerge security' could check all installed |
25 |
> > packages against the versions in the security files and update them if |
26 |
> > needed. |
27 |
> > |
28 |
> > All this would mean more work for the poor souls maintaining the portage |
29 |
> > tree though. |
30 |
> > |
31 |
> > -- |
32 |
> > Chris Sykes |
33 |
> |
34 |
> Either this or have a /usr/portage/profiles/package.security file that has |
35 |
> a list of minimum package versions to use. This file can be modified when |
36 |
> there is a security announcement. I.e. for the latest gaim security |
37 |
> |
38 |
> announcement, a line can be added to it as such: |
39 |
> >=net-im/gaim-0.59.1 |
40 |
> |
41 |
> emerge security would check this file against all installed packages to |
42 |
> see if any need updating. It'd be up to whomever provides to new ebuild |
43 |
> to update the security file as well. |
44 |
> |
45 |
|
46 |
Ok, I finally see where people are going with this. I do not see why a |
47 |
separate "security" package is neccessary. Having a "release + major fixes + |
48 |
security" set of packages should be built into emerge. |
49 |
|
50 |
There has been talk about "KEYWORDS". Couldn't packages on the day of the 1.4 |
51 |
release be tagged "release" and updates to the "release" set be tagged to |
52 |
"updates" or "security". This information could be part of a |
53 |
/usr/portage/profiles/package.updates1.4 that could be brought down as part |
54 |
of an emerge update or something. |
55 |
|
56 |
People that want the latest and greatest could change a configuration line in |
57 |
rc.conf to allow it to happen (by default, emerge will track |
58 |
release+security). |
59 |
|
60 |
Or ask mention it in the install docs (Workstations will want to enable |
61 |
"latest" packages). |
62 |
|
63 |
Just for thought. |
64 |
|
65 |
Evan. |