1 |
On Wed, 17 Dec 2014 12:30:53 -0800 |
2 |
Zac Medico <zmedico@g.o> wrote: |
3 |
|
4 |
> Hi, |
5 |
> |
6 |
> For server deployments, it's common for administrators to want to use |
7 |
> glsa-check for security vulnerabilities, without necessarily wanting |
8 |
> to to do a full sync [1]. |
9 |
> |
10 |
> So, I propose that we add an 'emerge --sync-glsa' action and a |
11 |
> corresponding 'emaint sync-glsa' command that will only sync the |
12 |
> relevant metadata/glsa subdirectory of the relevant repository(s). |
13 |
> Please respond if you agree or disagree with this proposal. |
14 |
> |
15 |
> [1] https://bugs.gentoo.org/show_bug.cgi?id=89641 |
16 |
|
17 |
I agree in principal, but you didn't say enough about your idea to be |
18 |
able to say yes/no to it yet. |
19 |
|
20 |
I've read the bug comments. |
21 |
|
22 |
So, what you are saying for the above is set a very restrictive rsync |
23 |
to just sync the glsa directory? |
24 |
|
25 |
So, with the new pluging-sync sytem in place, how do you propose we do |
26 |
this? |
27 |
|
28 |
1) Make a new emaint sync option which does the restriction and |
29 |
appropriate sync module calls? |
30 |
emaint sync --glsa & emerge --sync-glsa |
31 |
|
32 |
2) emaint sync-glsa sounds like a modified copy of the sync module. |
33 |
To me this is a poor idea. It would needlessly duplicate code. |
34 |
|
35 |
|
36 |
But what about the different sync types. How do we handle this in a |
37 |
git repo instead of an rsync one? |
38 |
|
39 |
3) if it is a separate repo, then the current emaint sync |
40 |
module does not need __ANY__ modifications. |
41 |
|
42 |
emaint sync -r glsa <== would sync the repo named glsa no |
43 |
matter what type of sync method is used. rsync, git, svn, |
44 |
cvs,... |
45 |
|
46 |
Another advantage to a separate repo, for your use case that |
47 |
they don't want the main repo to be synced, the new sync system |
48 |
adds an "auto-sync" variable. "emerge --sync" will only sync |
49 |
repos marked with it set to yes. So, if all they want is the |
50 |
glsa's synced automatically, set only i'ts auto-sync to yes. |
51 |
All other repos will have to be synced manually via the "emaint |
52 |
sync --repo foo" command which does not look at the auto-sync |
53 |
variable. |
54 |
|
55 |
|
56 |
Bottom line of this comes down to getting infra to create a standalone |
57 |
repo for the glsa's. The current rsync tree could merge the gentoo and |
58 |
glsa repos for backwards compatibility. For your use case, they set the |
59 |
gentoo repo's rsync restriction to exclude the glsa's. And have the |
60 |
separate glsa repo downloaded as it's own repository. With the gentoo |
61 |
tree moving to git, then the git tree would not include the glsa's, so |
62 |
the user would need to install the glsa tree as well. |
63 |
|
64 |
Only code changes I see to portage, pkgcore (I know nothing about |
65 |
paludis) are to look for the glsa's in the 2 possible locations. The |
66 |
standalone glsa repo, failing that, backup to the gentoo tree. |
67 |
-- |
68 |
Brian Dolbec <dolsen> |