Gentoo Archives: gentoo-security

From: "Brian G. Peterson" <brian@×××××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernels and GLSAs
Date: Tue, 20 Sep 2005 14:03:53
Message-Id: 200509200853.19514.brian@braverock.com
In Reply to: Re: [gentoo-security] Kernels and GLSAs by Marius Mauch
1 On Tuesday 20 September 2005 07:44 am, Marius Mauch wrote:
2 > > Brian Peterson wrote:
3 > > The glsa-check tool is basically useless
4 > > (as of gentoolkit-0.2.1_pre7), as it shows all GLSAs rather than just
5 > > GLSAs for tools that correspond to packages installed on the system
6 > > it is run on.
7 >
8 > Can you explain this a bit more? glsa-check hasn't actually changed for
9 > a long time. Also make sure you don't confuse the --list option with
10 > the --test option.
11
12 Sure.
13
14 glsa-check --test
15
16 run by itself, does nothing except give a command summary.
17
18 glsa-check --list
19
20 lists *all* unapplied GLSAs, regardless of whether the package is installed on
21 the running system.
22
23 So, you need to --test each and every GLSA to see if it applies to your
24 system.
25
26 glsa-test --test all
27
28 gives a list of GLSAs that apply to a running system, but then provides no
29 details about these GLSAs in the list.
30
31 My take on this as a system administrator who manages many production servers
32 running gentoo is that I should be able to run some command, perhaps
33 'glsa-check --test all' that would give me the output of --list for each GLSA
34 that 'glsa-check --test' reports. This would allow me to run glsa-check in a
35 cron job and have the output sent to me, so that I have enough information to
36 know decide if I need to do something on a running production server.
37
38 You can't 'glsa-check --pretend --fix all', as this isn't a valid combination
39 of commands. 'glsa-check --pretend all' gives a huge list that you need to
40 sort through to find the GLSAs that it thinks need applying.
41 Running:
42 glsa-check --pretend all | grep -B 1 -A 4 "following updates"
43 produces an almost usable result of only the GLSAs that need to be applied
44 with the package name that they apply to. I think that by default --pretend
45 should *only* list GLSAs that need applying.
46
47 I think that having a sensible default of 'all' for the package list of --test
48 would make a lot of sense, although this is minor.
49
50 >From a standpoint of making glsa-check a useful tool, integration to emerge is
51 going to be the clear 'solution' to this problem, but glsa-check as it exists
52 today requires too many manual steps to make it very useful for the proactive
53 monitoring of running systems, especially when you have more than a single
54 system to keep track of.
55
56 For the easiest short-term solution, the output of --test and --pretend would
57 tell us what the GLSA summary is (like --list), and only for GLSAs that need
58 to be applied, so that we can assess whether we should apply the patch or
59 not. Make sense?
60
61 Thanks for asking. :)
62
63 Regards,
64
65 - Brian
66
67 --
68 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Kernels and GLSAs "W.Kenworthy" <billk@×××××××××.au>
Re: [gentoo-security] Kernels and GLSAs Marius Mauch <genone@g.o>