1 |
Hi all, |
2 |
|
3 |
At bugs.gentoo.org I attached an tarball with my version of an ebuild, which |
4 |
automatically will install *only* those security updates, which are relevant |
5 |
to your system (see <http://bugs.gentoo.org/show_bug.cgi?id=5835>). |
6 |
|
7 |
The trick is the following code in the ebuild: |
8 |
DEPEND=" |
9 |
$(has_version 'nfs-utils' && echo '>=nfs-utils-1.0.4') |
10 |
$(has_version 'gnupg' && echo '>=gnupg-1.2.2-r1') |
11 |
" |
12 |
this will create dependencies on the fly: Only if you have nfs-utils |
13 |
installed, the new version with the bugfix will appear as a dependency. Same |
14 |
with gnupg. |
15 |
There is no need for new 'emerge' options or KEYWORDS. |
16 |
|
17 |
For his own system, the admin has to type in only: |
18 |
emerge rsync |
19 |
emerge security |
20 |
|
21 |
or, if he is interested in this stuff: |
22 |
emerge rsync |
23 |
emerge -p security |
24 |
and followed by 'emerge security', if necessary. |
25 |
|
26 |
The only drawback at the moment is, that there is no automated way to generate |
27 |
the value of the DEPEND variable by the GLSAs. Maybe here can Marius' XML |
28 |
format help. With GLSAs in such a format, a simple script can generate the |
29 |
security-ebuilds, the postings at forums.gentoo.org and the mails in |
30 |
gentoo-announce! I would love to hear from some core developers and others |
31 |
what you think (is it critical to use an ebuild, which does not compile and |
32 |
install its own sourcecode, because it has none?). |
33 |
|
34 |
I know, that this can (and must) be improved in the future (more information, |
35 |
references to advisories, signing the ebuild, a.s.o.), but at the moment, |
36 |
this way seems to me to be an easy one, isn't it? |
37 |
|
38 |
Comments? |
39 |
|
40 |
Karsten |
41 |
|
42 |
|
43 |
-- |
44 |
gentoo-dev@g.o mailing list |