| 1 |
Hi all, |
| 2 |
|
| 3 |
At bugs.gentoo.org I attached an tarball with my version of an ebuild, which |
| 4 |
automatically will install *only* those security updates, which are relevant |
| 5 |
to your system (see <http://bugs.gentoo.org/show_bug.cgi?id=5835>). |
| 6 |
|
| 7 |
The trick is the following code in the ebuild: |
| 8 |
DEPEND=" |
| 9 |
$(has_version 'nfs-utils' && echo '>=nfs-utils-1.0.4') |
| 10 |
$(has_version 'gnupg' && echo '>=gnupg-1.2.2-r1') |
| 11 |
" |
| 12 |
this will create dependencies on the fly: Only if you have nfs-utils |
| 13 |
installed, the new version with the bugfix will appear as a dependency. Same |
| 14 |
with gnupg. |
| 15 |
There is no need for new 'emerge' options or KEYWORDS. |
| 16 |
|
| 17 |
For his own system, the admin has to type in only: |
| 18 |
emerge rsync |
| 19 |
emerge security |
| 20 |
|
| 21 |
or, if he is interested in this stuff: |
| 22 |
emerge rsync |
| 23 |
emerge -p security |
| 24 |
and followed by 'emerge security', if necessary. |
| 25 |
|
| 26 |
The only drawback at the moment is, that there is no automated way to generate |
| 27 |
the value of the DEPEND variable by the GLSAs. Maybe here can Marius' XML |
| 28 |
format help. With GLSAs in such a format, a simple script can generate the |
| 29 |
security-ebuilds, the postings at forums.gentoo.org and the mails in |
| 30 |
gentoo-announce! I would love to hear from some core developers and others |
| 31 |
what you think (is it critical to use an ebuild, which does not compile and |
| 32 |
install its own sourcecode, because it has none?). |
| 33 |
|
| 34 |
I know, that this can (and must) be improved in the future (more information, |
| 35 |
references to advisories, signing the ebuild, a.s.o.), but at the moment, |
| 36 |
this way seems to me to be an easy one, isn't it? |
| 37 |
|
| 38 |
Comments? |
| 39 |
|
| 40 |
Karsten |
| 41 |
|
| 42 |
|
| 43 |
-- |
| 44 |
gentoo-dev@g.o mailing list |
Archives