| 1 |
On Thu, Nov 10, 2022 at 10:55:03PM +0200, Mart Raudsepp wrote: |
| 2 |
> Ühel kenal päeval, N, 10.11.2022 kell 22:07, kirjutas Jaco Kroon: |
| 3 |
> > > Like glsa-check? |
| 4 |
> > We currently use that, but it really just says which GLSAs are |
| 5 |
> > applicable to the system, it doesn't tell me net-misc/asterisk- |
| 6 |
> > 16.0.1:16 |
| 7 |
> > - we've got ways of working from the glsa-check output to that. Of |
| 8 |
> > particular annoyance if a GLSA lists multiple packages, of which you |
| 9 |
> > have one installed, and one not. Given net-misc/asterisk-16.0.1:16 I |
| 10 |
> > can |
| 11 |
> > quite quickly determine that emerge -1av net-misc/asterisk:16 will |
| 12 |
> > resolve the problem with the lowest possible risk of breakage to |
| 13 |
> > other |
| 14 |
> > components on the system, and without having to perform a full |
| 15 |
> > update. |
| 16 |
> |
| 17 |
> emerge -vpO @security |
| 18 |
> |
| 19 |
> but to get something like it to only showing which installed asterisk |
| 20 |
> SLOT is vulnerable would be some extra coding with portage API I think. |
| 21 |
|
| 22 |
Yeah, to implement this, working on glsa-check is already necessary. I'm |
| 23 |
willing to look into ensuring the @security set works properly as well. |
Archives