Gentoo Archives: gentoo-security

From: Aleksey V Lazar <lazar@××××.edu>
To: "gentoo-security@l.g.o" <gentoo-security@l.g.o>
Subject: Re: [gentoo-security] Security project meeting summary
Date: Mon, 28 Jul 2008 22:09:18
Message-Id: 488E435B.1000501@mnsu.edu
In Reply to: Re: [gentoo-security] Security project meeting summary by Robert Buchholz
1 Hello, Robert:
2
3 Robert Buchholz wrote:
4 > On Monday 21 July 2008, Aleksey V Lazar wrote:
5 >
6 >> Hello. Would it be reasonable to suggest adding a ~security (or
7 >> something like it) flag to denote packages masked for security
8 >> reasons?
9 >>
10 >
11 > Hi Aleksey,
12 >
13 > since entries package.mask only contain free text description as an
14 > additional information, such a feature would require the package
15 > manager to decide which entries are security maskings, and which are
16 > feature maskings. While that could be done using
17 > restrictions/conventions within the text, I am sure our package manager
18 > developers would disagree with such a design. A "package.security.mask"
19 > file might be more appropriate for that.
20 >
21 Are you saying that security mask entries would go into the
22 package.security.mask and feature/other to package.mask? I think this
23 would make sense.
24 > My question now is, why would you want such a thing? Masked packages all
25 > have different reasons to be there, and you should decide to use one on
26 > a case-by-case basis.
27 >
28 I described in some more detail what I was thinking about in my previous
29 post to this list.
30
31 To answer your question, I think a feature like this would be very
32 useful, because it would remove barriers for identifying packages with
33 security issues. For example, I don't update my gentoo system daily,
34 but I would update it as often as necessary to keep it secure.
35 Currently (to the best of my understanding) there is no easy way (e.g.:
36 an /emerge/ option) to identify and update only the packages that have
37 security fixes. I would have to do some digging to find out what
38 packages and evaluate each package separately. So I think there would
39 be value in separating security masking from other types. To summarize,
40 I think this would accomplish the following:
41
42 1. Easily identify packages masked for security reasons.
43 2. Easily identified installed packages that have security issues/fixes
44 available.
45 3. Option for /emerge/ to only update packages with security fixes
46
47 Thank you for consideration.
48 Aleksey
49 > Regards,
50 > Robert
51 >
52 >
53
54 --
55 Aleksey V. Lazar
56 Website Development
57 Memorial Library 3010
58 Minnesota State University
59 Mankato, MN 56001
60 http://www.mnsu.edu/
61 Tel.: 1-507-389-2480

Replies

Subject Author
Re: [gentoo-security] Security project meeting summary Bill <wviands@×××××××××××××××.edu>