Gentoo Archives: gentoo-dev

From: Matt Thrailkill <xwred1@×××××××××.net>
To: gentoo-dev@g.o
Subject: Re: [gentoo-dev] GLEP 14 follow-up / security project
Date: Wed, 24 Sep 2003 00:09:46
In Reply to: [gentoo-dev] GLEP 14 follow-up / security project by Marius Mauch
1 Is the end result supposed to be that someone could have a box get
2 updates in response to GLSAs withouting doing an emerge rsync and a
3 world update?
5 Seems like right now, when a GLSA is issued, they say "update to this
6 version" to fix yourself. Which involves an rsync. So the ebuild to
7 fix the security hole isn't explicitly for security, its just another
8 ebuild as far as Portage knows.
10 And so if the idea is that someone running a server is wanting to
11 abstain from CONSTANTLY updating everything for nothing, but DOES want
12 to snag the security updates, this method is a little sloppy, since he'd
13 have to rsync and eventually if he abstained too long, the new ebuilds
14 to fix security flaws might not work due to deps on other things.
16 Debian, for example, backports the security fixes for Woody - your
17 software doesn't really change after you patch.
19 Myself, I grabbed the 1.4.1 Portage snapshot and I plan to manually add
20 the GLSAs to that and have my stable boxes rsync from that. So really
21 the only changes they'd get would be GLSAs, sort of like woody.
23 Maybe for people who don't want to lock themselves to a portage
24 snapshot, there could be something like --glsa to be used in conjunction
25 with `emerge rsync` to tell it *just* to pull down the glsa-related
26 ebuilds.
28 I guess my wandering point is that emerging rsync and then updating
29 worlds catches GLSA now, but obviously that involves alot of
30 time-wasting for a server box. So a glsa-specific technique would mean
31 omitting a full rsync and/or world update. But then you'll have to deal
32 with the fact that the people just wanting to put glsa updates on
33 machines will all have machines with wildly varying versions of software
34 and portage trees. So how would that be resolved?
36 --
37 gentoo-dev@g.o mailing list


Subject Author
Re: [gentoo-dev] GLEP 14 follow-up / security project Marius Mauch <genone@g.o>