1 |
Hello all, |
2 |
|
3 |
I have a suggestion which may be worth bandying around. Comments please. |
4 |
|
5 |
At the moment, there are virtual classes of ebuilds, namely system, and world. |
6 |
(Sorry if I'm not using the right terminology here). |
7 |
|
8 |
emerge -up world shows all possible packages for upgrading, whereas emerge -up |
9 |
system shows only system related packages. |
10 |
|
11 |
Currently on one of my servers, emerge -up system shows: |
12 |
foo root # emerge -up system | grep "\[ebuild" | wc -l |
13 |
50 |
14 |
|
15 |
Now, most of these are trivial: |
16 |
sys-apps/man-pages-1.65 [1.56] |
17 |
net-misc/dhcpcd-1.3.22_p4-r2 [1.3.22_p4-r1] |
18 |
that don't affect the security of the running system. (I hope!) |
19 |
On this server, I am only concerned with the security of the system, not |
20 |
making sure that I am upgrading apache, postfix, ssh, and others every time a |
21 |
new release comes out. (Unless of course I require some additional |
22 |
functionality.) |
23 |
|
24 |
What I think would be a good idea is the creation and maintenance of say 4 new |
25 |
virtual packages: |
26 |
remote-root |
27 |
remote-shell |
28 |
local-root |
29 |
remote-dos |
30 |
(Maybe there could be more, but these are the ones that I can think of). |
31 |
|
32 |
For example, if all version of openssh below 7.8.9-r4 are vulnerable to a |
33 |
remote-root, add the newest version that isn't vulnerable to the remote-root |
34 |
group. |
35 |
Should I run a box for myself, let's say, that doesn't have any local users, |
36 |
maybe I just want to script emerge -up remote-root && emerge -up |
37 |
remote-shell. |
38 |
If nothing appears from that output, I can be happy that my box is running the |
39 |
latest packages that could be exploited remotely. |
40 |
|
41 |
I personally would track the 4 classes that I mentioned above on all boxes, |
42 |
but of course, the choice would be for everyone. |
43 |
|
44 |
I don't know if I made sense here, but I hope you can see what I am |
45 |
suggesting. |
46 |
|
47 |
|
48 |
Calum |
49 |
|
50 |
|
51 |
-- |
52 |
gentoo-security@g.o mailing list |