1 |
Is the end result supposed to be that someone could have a box get |
2 |
updates in response to GLSAs withouting doing an emerge rsync and a |
3 |
world update? |
4 |
|
5 |
Seems like right now, when a GLSA is issued, they say "update to this |
6 |
version" to fix yourself. Which involves an rsync. So the ebuild to |
7 |
fix the security hole isn't explicitly for security, its just another |
8 |
ebuild as far as Portage knows. |
9 |
|
10 |
And so if the idea is that someone running a server is wanting to |
11 |
abstain from CONSTANTLY updating everything for nothing, but DOES want |
12 |
to snag the security updates, this method is a little sloppy, since he'd |
13 |
have to rsync and eventually if he abstained too long, the new ebuilds |
14 |
to fix security flaws might not work due to deps on other things. |
15 |
|
16 |
Debian, for example, backports the security fixes for Woody - your |
17 |
software doesn't really change after you patch. |
18 |
|
19 |
Myself, I grabbed the 1.4.1 Portage snapshot and I plan to manually add |
20 |
the GLSAs to that and have my stable boxes rsync from that. So really |
21 |
the only changes they'd get would be GLSAs, sort of like woody. |
22 |
|
23 |
Maybe for people who don't want to lock themselves to a portage |
24 |
snapshot, there could be something like --glsa to be used in conjunction |
25 |
with `emerge rsync` to tell it *just* to pull down the glsa-related |
26 |
ebuilds. |
27 |
|
28 |
I guess my wandering point is that emerging rsync and then updating |
29 |
worlds catches GLSA now, but obviously that involves alot of |
30 |
time-wasting for a server box. So a glsa-specific technique would mean |
31 |
omitting a full rsync and/or world update. But then you'll have to deal |
32 |
with the fact that the people just wanting to put glsa updates on |
33 |
machines will all have machines with wildly varying versions of software |
34 |
and portage trees. So how would that be resolved? |
35 |
|
36 |
-- |
37 |
gentoo-dev@g.o mailing list |