| 1 |
On Wed, 17 Dec 2014 12:30:53 -0800 |
| 2 |
Zac Medico <zmedico@g.o> wrote: |
| 3 |
|
| 4 |
> Hi, |
| 5 |
> |
| 6 |
> For server deployments, it's common for administrators to want to use |
| 7 |
> glsa-check for security vulnerabilities, without necessarily wanting |
| 8 |
> to to do a full sync [1]. |
| 9 |
> |
| 10 |
> So, I propose that we add an 'emerge --sync-glsa' action and a |
| 11 |
> corresponding 'emaint sync-glsa' command that will only sync the |
| 12 |
> relevant metadata/glsa subdirectory of the relevant repository(s). |
| 13 |
> Please respond if you agree or disagree with this proposal. |
| 14 |
> |
| 15 |
> [1] https://bugs.gentoo.org/show_bug.cgi?id=89641 |
| 16 |
|
| 17 |
I agree in principal, but you didn't say enough about your idea to be |
| 18 |
able to say yes/no to it yet. |
| 19 |
|
| 20 |
I've read the bug comments. |
| 21 |
|
| 22 |
So, what you are saying for the above is set a very restrictive rsync |
| 23 |
to just sync the glsa directory? |
| 24 |
|
| 25 |
So, with the new pluging-sync sytem in place, how do you propose we do |
| 26 |
this? |
| 27 |
|
| 28 |
1) Make a new emaint sync option which does the restriction and |
| 29 |
appropriate sync module calls? |
| 30 |
emaint sync --glsa & emerge --sync-glsa |
| 31 |
|
| 32 |
2) emaint sync-glsa sounds like a modified copy of the sync module. |
| 33 |
To me this is a poor idea. It would needlessly duplicate code. |
| 34 |
|
| 35 |
|
| 36 |
But what about the different sync types. How do we handle this in a |
| 37 |
git repo instead of an rsync one? |
| 38 |
|
| 39 |
3) if it is a separate repo, then the current emaint sync |
| 40 |
module does not need __ANY__ modifications. |
| 41 |
|
| 42 |
emaint sync -r glsa <== would sync the repo named glsa no |
| 43 |
matter what type of sync method is used. rsync, git, svn, |
| 44 |
cvs,... |
| 45 |
|
| 46 |
Another advantage to a separate repo, for your use case that |
| 47 |
they don't want the main repo to be synced, the new sync system |
| 48 |
adds an "auto-sync" variable. "emerge --sync" will only sync |
| 49 |
repos marked with it set to yes. So, if all they want is the |
| 50 |
glsa's synced automatically, set only i'ts auto-sync to yes. |
| 51 |
All other repos will have to be synced manually via the "emaint |
| 52 |
sync --repo foo" command which does not look at the auto-sync |
| 53 |
variable. |
| 54 |
|
| 55 |
|
| 56 |
Bottom line of this comes down to getting infra to create a standalone |
| 57 |
repo for the glsa's. The current rsync tree could merge the gentoo and |
| 58 |
glsa repos for backwards compatibility. For your use case, they set the |
| 59 |
gentoo repo's rsync restriction to exclude the glsa's. And have the |
| 60 |
separate glsa repo downloaded as it's own repository. With the gentoo |
| 61 |
tree moving to git, then the git tree would not include the glsa's, so |
| 62 |
the user would need to install the glsa tree as well. |
| 63 |
|
| 64 |
Only code changes I see to portage, pkgcore (I know nothing about |
| 65 |
paludis) are to look for the glsa's in the 2 possible locations. The |
| 66 |
standalone glsa repo, failing that, backup to the gentoo tree. |
| 67 |
-- |
| 68 |
Brian Dolbec <dolsen> |
Archives