| 1 |
On Sat, 7 Sep 2002 04:57, Tom Prado wrote: |
| 2 |
> On Fri, 6 Sep 2002, Chris Sykes wrote: |
| 3 |
> > On Wed, Sep 04, 2002 at 11:05:40PM +0300, Moilanen Mikko Antero wrote: |
| 4 |
> > > Hi |
| 5 |
> > > |
| 6 |
> > > Would it be good idea to make additional cammand "emerge security" to |
| 7 |
> > > check and upgrade any security things like now "emerge system" upgrades |
| 8 |
> > > some standard system things? |
| 9 |
> > > |
| 10 |
> > > This would definetly be good for people who maintain servers or for |
| 11 |
> > > people who maintain workstations or this would just be *good* for |
| 12 |
> > > people. |
| 13 |
> > |
| 14 |
> > I agree that this would be useful functionality. I think that the best |
| 15 |
> > way to implement something like this is _not_ to label security fix |
| 16 |
> > ebuilds as such, but to flag the ebuilds that are vunerable. |
| 17 |
> > |
| 18 |
> > e.g. (off the top of my head) |
| 19 |
> > |
| 20 |
> > For each package create a file that lists the ebuild versions that were |
| 21 |
> > found to have security issues e.g. |
| 22 |
> > /usr/portage/catagory/package/security |
| 23 |
> > |
| 24 |
> > Using a method like this an 'emerge security' could check all installed |
| 25 |
> > packages against the versions in the security files and update them if |
| 26 |
> > needed. |
| 27 |
> > |
| 28 |
> > All this would mean more work for the poor souls maintaining the portage |
| 29 |
> > tree though. |
| 30 |
> > |
| 31 |
> > -- |
| 32 |
> > Chris Sykes |
| 33 |
> |
| 34 |
> Either this or have a /usr/portage/profiles/package.security file that has |
| 35 |
> a list of minimum package versions to use. This file can be modified when |
| 36 |
> there is a security announcement. I.e. for the latest gaim security |
| 37 |
> |
| 38 |
> announcement, a line can be added to it as such: |
| 39 |
> >=net-im/gaim-0.59.1 |
| 40 |
> |
| 41 |
> emerge security would check this file against all installed packages to |
| 42 |
> see if any need updating. It'd be up to whomever provides to new ebuild |
| 43 |
> to update the security file as well. |
| 44 |
> |
| 45 |
|
| 46 |
Ok, I finally see where people are going with this. I do not see why a |
| 47 |
separate "security" package is neccessary. Having a "release + major fixes + |
| 48 |
security" set of packages should be built into emerge. |
| 49 |
|
| 50 |
There has been talk about "KEYWORDS". Couldn't packages on the day of the 1.4 |
| 51 |
release be tagged "release" and updates to the "release" set be tagged to |
| 52 |
"updates" or "security". This information could be part of a |
| 53 |
/usr/portage/profiles/package.updates1.4 that could be brought down as part |
| 54 |
of an emerge update or something. |
| 55 |
|
| 56 |
People that want the latest and greatest could change a configuration line in |
| 57 |
rc.conf to allow it to happen (by default, emerge will track |
| 58 |
release+security). |
| 59 |
|
| 60 |
Or ask mention it in the install docs (Workstations will want to enable |
| 61 |
"latest" packages). |
| 62 |
|
| 63 |
Just for thought. |
| 64 |
|
| 65 |
Evan. |
Archives