1 |
On Thu, Nov 10, 2022 at 10:55:03PM +0200, Mart Raudsepp wrote: |
2 |
> Ühel kenal päeval, N, 10.11.2022 kell 22:07, kirjutas Jaco Kroon: |
3 |
> > > Like glsa-check? |
4 |
> > We currently use that, but it really just says which GLSAs are |
5 |
> > applicable to the system, it doesn't tell me net-misc/asterisk- |
6 |
> > 16.0.1:16 |
7 |
> > - we've got ways of working from the glsa-check output to that. Of |
8 |
> > particular annoyance if a GLSA lists multiple packages, of which you |
9 |
> > have one installed, and one not. Given net-misc/asterisk-16.0.1:16 I |
10 |
> > can |
11 |
> > quite quickly determine that emerge -1av net-misc/asterisk:16 will |
12 |
> > resolve the problem with the lowest possible risk of breakage to |
13 |
> > other |
14 |
> > components on the system, and without having to perform a full |
15 |
> > update. |
16 |
> |
17 |
> emerge -vpO @security |
18 |
> |
19 |
> but to get something like it to only showing which installed asterisk |
20 |
> SLOT is vulnerable would be some extra coding with portage API I think. |
21 |
|
22 |
Yeah, to implement this, working on glsa-check is already necessary. I'm |
23 |
willing to look into ensuring the @security set works properly as well. |