1 |
On Tuesday 20 September 2005 07:44 am, Marius Mauch wrote: |
2 |
> > Brian Peterson wrote: |
3 |
> > The glsa-check tool is basically useless |
4 |
> > (as of gentoolkit-0.2.1_pre7), as it shows all GLSAs rather than just |
5 |
> > GLSAs for tools that correspond to packages installed on the system |
6 |
> > it is run on. |
7 |
> |
8 |
> Can you explain this a bit more? glsa-check hasn't actually changed for |
9 |
> a long time. Also make sure you don't confuse the --list option with |
10 |
> the --test option. |
11 |
|
12 |
Sure. |
13 |
|
14 |
glsa-check --test |
15 |
|
16 |
run by itself, does nothing except give a command summary. |
17 |
|
18 |
glsa-check --list |
19 |
|
20 |
lists *all* unapplied GLSAs, regardless of whether the package is installed on |
21 |
the running system. |
22 |
|
23 |
So, you need to --test each and every GLSA to see if it applies to your |
24 |
system. |
25 |
|
26 |
glsa-test --test all |
27 |
|
28 |
gives a list of GLSAs that apply to a running system, but then provides no |
29 |
details about these GLSAs in the list. |
30 |
|
31 |
My take on this as a system administrator who manages many production servers |
32 |
running gentoo is that I should be able to run some command, perhaps |
33 |
'glsa-check --test all' that would give me the output of --list for each GLSA |
34 |
that 'glsa-check --test' reports. This would allow me to run glsa-check in a |
35 |
cron job and have the output sent to me, so that I have enough information to |
36 |
know decide if I need to do something on a running production server. |
37 |
|
38 |
You can't 'glsa-check --pretend --fix all', as this isn't a valid combination |
39 |
of commands. 'glsa-check --pretend all' gives a huge list that you need to |
40 |
sort through to find the GLSAs that it thinks need applying. |
41 |
Running: |
42 |
glsa-check --pretend all | grep -B 1 -A 4 "following updates" |
43 |
produces an almost usable result of only the GLSAs that need to be applied |
44 |
with the package name that they apply to. I think that by default --pretend |
45 |
should *only* list GLSAs that need applying. |
46 |
|
47 |
I think that having a sensible default of 'all' for the package list of --test |
48 |
would make a lot of sense, although this is minor. |
49 |
|
50 |
>From a standpoint of making glsa-check a useful tool, integration to emerge is |
51 |
going to be the clear 'solution' to this problem, but glsa-check as it exists |
52 |
today requires too many manual steps to make it very useful for the proactive |
53 |
monitoring of running systems, especially when you have more than a single |
54 |
system to keep track of. |
55 |
|
56 |
For the easiest short-term solution, the output of --test and --pretend would |
57 |
tell us what the GLSA summary is (like --list), and only for GLSAs that need |
58 |
to be applied, so that we can assess whether we should apply the patch or |
59 |
not. Make sense? |
60 |
|
61 |
Thanks for asking. :) |
62 |
|
63 |
Regards, |
64 |
|
65 |
- Brian |
66 |
|
67 |
-- |
68 |
gentoo-security@g.o mailing list |