Gentoo Archives: gentoo-dev

From: Paul de Vrieze <pauldv@g.o>
To: gentoo-dev@g.o
Subject: Re: [gentoo-dev] RFC: security updates only? (security-1.0.ebuild)
Date: Sat, 16 Aug 2003 10:20:34
Message-Id: 200308161220.31367.pauldv@gentoo.org
In Reply to: [gentoo-dev] RFC: security updates only? (security-1.0.ebuild) by Karsten Schulz
1 On Saturday 16 August 2003 11:46, Karsten Schulz wrote:
2 > Hi all,
3 >
4 > At bugs.gentoo.org I attached an tarball with my version of an ebuild,
5 > which automatically will install *only* those security updates, which are
6 > relevant to your system (see
7 > <http://bugs.gentoo.org/show_bug.cgi?id=5835>).
8 >
9 > The trick is the following code in the ebuild:
10 > DEPEND="
11 > $(has_version 'nfs-utils' && echo '>=nfs-utils-1.0.4')
12 > $(has_version 'gnupg' && echo '>=gnupg-1.2.2-r1')
13 > "
14 > this will create dependencies on the fly: Only if you have nfs-utils
15 > installed, the new version with the bugfix will appear as a dependency.
16 > Same with gnupg.
17 > There is no need for new 'emerge' options or KEYWORDS.
18 >
19 > For his own system, the admin has to type in only:
20 > emerge rsync
21 > emerge security
22 >
23 > or, if he is interested in this stuff:
24 > emerge rsync
25 > emerge -p security
26 > and followed by 'emerge security', if necessary.
27 >
28 > The only drawback at the moment is, that there is no automated way to
29 > generate the value of the DEPEND variable by the GLSAs. Maybe here can
30 > Marius' XML format help. With GLSAs in such a format, a simple script can
31 > generate the security-ebuilds, the postings at forums.gentoo.org and the
32 > mails in gentoo-announce! I would love to hear from some core developers
33 > and others what you think (is it critical to use an ebuild, which does not
34 > compile and install its own sourcecode, because it has none?).
35 >
36 > I know, that this can (and must) be improved in the future (more
37 > information, references to advisories, signing the ebuild, a.s.o.), but at
38 > the moment, this way seems to me to be an easy one, isn't it?
39 >
40 > Comments?
41
42 Unfortunately dynamic dependencies in this style are not possible. I also
43 believe that a more fundamental solution should be implemented. Probably in
44 emerge itself. It should not really be hard. It should basically do what you
45 propose from a dynamically generated list of insecure ebuilds.
46
47 Paul
48
49 --
50 Paul de Vrieze
51 Gentoo Developer
52 Mail: pauldv@g.o
53 Homepage: http://www.devrieze.net

Replies

Subject Author
Re: [gentoo-dev] RFC: security updates only? (security-1.0.ebuild) Karsten Schulz <kaschu@×××××××××.de>