Re: [gentoo-security] Kernels and GLSAs - gentoo-security

From:	Cameron Blackwood <korg@×××××××××.org>
To:	gentoo-security@l.g.o
Subject:	Re: [gentoo-security] Kernels and GLSAs
Date:	Thu, 22 Sep 2005 03:51:32
Message-Id:	`20050922034622.B2A15540DC@firewall.darkqueen.org`

1

Jason Stubbs writes:

2

|

3

  | Unfortunately, that is *too* correct. Unfortunate in that both 

4

  | --depclean and --update only consider USE flags defined in make.conf and 

5

  | package.use (and embedded in .tbz2s when using binaries). This means 

6

  | that if package "foo" depends on package "bar" due to USE flag "baz" 

7

  | being enabled at install time and "baz" is subsequently disabled, "bar" 

8

  | becomes an orphaned package as far as the graph goes - even though it is 

9

  | still required.

10

|

11

  | What does this mean in terms of security? The "only install what you 

12

  | need" rule is twice as important. Until portage is a little smarter, I 

13

  | would consider a "healthy" system to be one where `emerge -uDNvp world` 

14

  | shows no differing USE flags and both `emerge -p --depclean` and 

15

  | `revdep-rebuild -p` show no packages.

16

|

17

18

19

eeek! depclean wants to remove portmap and screen and all this other

20

stuff I need.  Ah, because it isnt in /var/lib/portage/world I

21

guess... it seems Ive overestimated emerge's work.

22

23

24

Ok, so just to get this _totally_ clear, I should: 

25

26

27

   * manally place package names I need in /var/lib/portage/world

28

29

   * check my install with

30

        emerge sync

31

        emerge -uDNpv world

32

        revdep-rebuild -p

33

        glsa-check -l |& grep '\[N\]'

34

35

   * update any packages listed by those last 3 commands

36

37

38

Maybe Im just too lazy, but there must be a set of 'best' commands 

39

to update/check a system documented/written down somewhere? Hopefully

40

in a possibly automated way. If there isnt, then lets try and cobble

41

one together. :)

42

43

44

Ah, the simple days when I'd get a list of packages I wanted to keep,

45

remove them from an   rpm -qa   and then keep trying to remove every

46

package left until there was no change (and depend on dependancy

47

trees to keep stuff that I need). :)

48

49

50

cheers,

51

cam

52

53

54

--

55

 / `Rev Dr'   cam  at darkqueen.org            Roleplaying, virtual goth \

56

<   http://darkqueen.org        Poly, *nix, Python, C/C++, genetics, ATM  >

57

 \  [+61 3] 9809 1523[h]         skeptic, Evil GM(tm). Sysadmin for hire /

58

                      ---------- Random Quote ----------

59

Rev. Jim:	What does an amber light mean?                                 

60

Bobby:		Slow down.

61

Rev. Jim:	What...   does...  an...  amber...  light...  mean?

62

Bobby:		Slow down.

63

Rev. Jim:	What....     does....     an....     amber....     light....

64

--

65

gentoo-security@g.o mailing list

Gentoo Archives: gentoo-security

Replies

1	Jason Stubbs writes:
2	\|
3	\| Unfortunately, that is too correct. Unfortunate in that both
4	\| --depclean and --update only consider USE flags defined in make.conf and
5	\| package.use (and embedded in .tbz2s when using binaries). This means
6	\| that if package "foo" depends on package "bar" due to USE flag "baz"
7	\| being enabled at install time and "baz" is subsequently disabled, "bar"
8	\| becomes an orphaned package as far as the graph goes - even though it is
9	\| still required.
10	\|
11	\| What does this mean in terms of security? The "only install what you
12	\| need" rule is twice as important. Until portage is a little smarter, I
13	\| would consider a "healthy" system to be one where `emerge -uDNvp world`
14	\| shows no differing USE flags and both `emerge -p --depclean` and
15	\| `revdep-rebuild -p` show no packages.
16	\|
17
18
19	eeek! depclean wants to remove portmap and screen and all this other
20	stuff I need. Ah, because it isnt in /var/lib/portage/world I
21	guess... it seems Ive overestimated emerge's work.
22
23
24	Ok, so just to get this _totally_ clear, I should:
25
26
27	* manally place package names I need in /var/lib/portage/world
28
29	* check my install with
30	emerge sync
31	emerge -uDNpv world
32	revdep-rebuild -p
33	glsa-check -l \|& grep '\[N\]'
34
35	* update any packages listed by those last 3 commands
36
37
38	Maybe Im just too lazy, but there must be a set of 'best' commands
39	to update/check a system documented/written down somewhere? Hopefully
40	in a possibly automated way. If there isnt, then lets try and cobble
41	one together. :)
42
43
44	Ah, the simple days when I'd get a list of packages I wanted to keep,
45	remove them from an rpm -qa and then keep trying to remove every
46	package left until there was no change (and depend on dependancy
47	trees to keep stuff that I need). :)
48
49
50	cheers,
51	cam
52
53
54	--
55	/ `Rev Dr' cam at darkqueen.org Roleplaying, virtual goth \
56	< http://darkqueen.org Poly, *nix, Python, C/C++, genetics, ATM >
57	\ [+61 3] 9809 1523[h] skeptic, Evil GM(tm). Sysadmin for hire /
58	---------- Random Quote ----------
59	Rev. Jim: What does an amber light mean?
60	Bobby: Slow down.
61	Rev. Jim: What... does... an... amber... light... mean?
62	Bobby: Slow down.
63	Rev. Jim: What.... does.... an.... amber.... light....
64	--
65	gentoo-security@g.o mailing list