| 1 |
Hello all, |
| 2 |
|
| 3 |
I have a suggestion which may be worth bandying around. Comments please. |
| 4 |
|
| 5 |
At the moment, there are virtual classes of ebuilds, namely system, and world. |
| 6 |
(Sorry if I'm not using the right terminology here). |
| 7 |
|
| 8 |
emerge -up world shows all possible packages for upgrading, whereas emerge -up |
| 9 |
system shows only system related packages. |
| 10 |
|
| 11 |
Currently on one of my servers, emerge -up system shows: |
| 12 |
foo root # emerge -up system | grep "\[ebuild" | wc -l |
| 13 |
50 |
| 14 |
|
| 15 |
Now, most of these are trivial: |
| 16 |
sys-apps/man-pages-1.65 [1.56] |
| 17 |
net-misc/dhcpcd-1.3.22_p4-r2 [1.3.22_p4-r1] |
| 18 |
that don't affect the security of the running system. (I hope!) |
| 19 |
On this server, I am only concerned with the security of the system, not |
| 20 |
making sure that I am upgrading apache, postfix, ssh, and others every time a |
| 21 |
new release comes out. (Unless of course I require some additional |
| 22 |
functionality.) |
| 23 |
|
| 24 |
What I think would be a good idea is the creation and maintenance of say 4 new |
| 25 |
virtual packages: |
| 26 |
remote-root |
| 27 |
remote-shell |
| 28 |
local-root |
| 29 |
remote-dos |
| 30 |
(Maybe there could be more, but these are the ones that I can think of). |
| 31 |
|
| 32 |
For example, if all version of openssh below 7.8.9-r4 are vulnerable to a |
| 33 |
remote-root, add the newest version that isn't vulnerable to the remote-root |
| 34 |
group. |
| 35 |
Should I run a box for myself, let's say, that doesn't have any local users, |
| 36 |
maybe I just want to script emerge -up remote-root && emerge -up |
| 37 |
remote-shell. |
| 38 |
If nothing appears from that output, I can be happy that my box is running the |
| 39 |
latest packages that could be exploited remotely. |
| 40 |
|
| 41 |
I personally would track the 4 classes that I mentioned above on all boxes, |
| 42 |
but of course, the choice would be for everyone. |
| 43 |
|
| 44 |
I don't know if I made sense here, but I hope you can see what I am |
| 45 |
suggesting. |
| 46 |
|
| 47 |
|
| 48 |
Calum |
| 49 |
|
| 50 |
|
| 51 |
-- |
| 52 |
gentoo-security@g.o mailing list |
Archives