Gentoo Archives: gentoo-user

From:	BRM <bm_witness@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] How to update portage offline with minimal impact?
Date:	Wed, 09 Jan 2008 04:50:07
Message-Id:	`777341.72514.qm@web60025.mail.yahoo.com`
In Reply to:	Re: [gentoo-user] How to update portage offline with minimal impact? by Daniel da Veiga

1	--- Daniel da Veiga <danieldaveiga@×××××.com> wrote:
2	> On Jan 8, 2008 7:13 PM, BRM <bm_witness@×××××.com> wrote:
3	> > --- Per-Erik Westerberg <per-erik.westerberg@××××××××.net> wrote:
4	> > > tor 2008-01-03 klockan 13:16 -0800 skrev BRM:
5	> > > > I have a couple Sparc systems. One has been running Gentoo for
6	> a
7	> > > long
8	> > > > time - installed using Gentoo 2006, not updated since due to
9	> the
10	> > > issue
11	> > > > I'm about the discuss - and the other is a near identical
12	> system
13	> > > that
14	> > > > might get Gentoo 2007 installed. Both are on two separate
15	> networks
16	> > > and
17	> > > > have no communication between them.
18	> > > >
19	> > > > The first system does have some Internet access through a
20	> firewall,
21	> > > but
22	> > > > it doesn't really work, at least for this purpose; so it's just
23	> as
24	> > > good
25	> > > > as not having any access at all for this purpose.
26	> > <snip>
27	> > > > In either case, I can't update portage using the normal method
28	> of
29	> > > > 'emerge --sync'. So, I'm trying to figure out a solution that
30	> would
31	> > > > enable me to update the systems. Under Slackware, I'd just
32	> point
33	> > > > pkgtool to the CD media and install from that, just like during
34	> > > > installation. Is there a similar approach for Gentoo? How do I
35	> > > overcome
36	> > > > the source mirror issue too so that the systems don't try to
37	> > > download
38	> > > > stuff from the web?
39	> > > >
40	> > > Have you tried to use a proxy (adjust accordingly)?
41	> > > export http_proxy=http://proxy.company.com:8080
42	> > > export ftp_proxy=http://proxy.company.com:8080
43	> > > export RSYNC_PROXY=proxy.company.com:8080
44	> >
45	> > Yes, I tried using the proxy on the one system. (The other system
46	> won't
47	> > even have that as an option.) The problem came there that the proxy
48	> is
49	> > an authenticated proxy, primarily designed to work with Windows. It
50	> > works fine from Firefox/Netscape in X Windows, but causes problems
51	> for
52	> > command-line tools and console browsers. So, in addition to my
53	> trying
54	> > to find a solution where a proxy is not an option, it is, for all
55	> > intents and purposes, a non-option any way.
56	> >
57	> If you really don't wanna use the network, you can easily transfer a
58	> tarball and rsync locally (gentoo forums have little nifty scripts
59	> for
60	> syncing locally and emerging metadata). The foruns also have lots of
61	> scripts designed to create a list of needed distfiles and download
62	> them at another machine, you can transfer this and update. With a
63	> little set of scripts you can automate the whole process using the
64	> network, or require minor user intervention to transfer the list and
65	> later the files to and from a networkless machine.
66
67	Any that you recommend? This sounds like what I want.
68
69	> > Additionally, because it is an authenticated proxy, it is not an
70	> ideal
71	> > solution as it would leave the username/password for a user in
72	> plain
73	> > site of all users on the system as the info would be either in the
74	> > environment variables and/or the command-line options of a program.
75	> So,
76	> > from a security stand-point, it's not an option either since it
77	> > sometimes takes a day or so to perform updates.
78	> There's no problem in using an authenticated proxy for
79	> emerge-webrsync, as you can keep a script in a directory with
80	> restricted permissions, only root would be able to see it anyway, and
81	> you can use this machine as an rsync and distfiles mirror for any
82	> other in the network, crontab would work as well, as only the user
83	> who
84	> creates it can see it (if you set it). You can even set a special
85	> username/password at your proxy that can only access rsync port and
86	> mirrors for distfiles for increased security.
87	>
88	> OK, those are some of MANY options available. Gentoo is very
89	> flexible,
90	> even in a controlled environment.
91
92	True - gentoo is very flexible, and its emerging management is why I
93	chose it for the first system behind the proxy. When I had originally
94	set up the system, the proxies weren't authenticated and things worked.
95	Unfortunately, I don't have any control of the proxies and the only
96	thing I can do is use my own username and password - thus putting some
97	personal liability on the line as the company would hold me
98	responsible. I am aware I can do a restricted script - but I still end
99	up with the problem (which is documented) that someone could possibly
100	sniff the environment of the script and get the username/password, or
101	sniff the program names - as listed by 'ps' and other sources (e.g. the
102	kernel) - and get it there too, depending on how ftp/wget/etc. are
103	called.
104
105	Unfortunately, the system behind the proxy may have other issues.
106	Apparently some of the primary software for the system (Apache,
107	Subversion, Trac) didn't ever get emerged. I know I can list it as
108	already provided, but that would cause a problem with updating that
109	software via emerging, no? (Which is what I really want!) So, the
110	system may need a complete rebuild to do it right, and I'm not sure how
111	I would be able to do that at the moment for a number of reasons beyond
112	the scope of my problem here. So that system will likely sit as it is
113	for a long time to come...
114
115	Any how...I still have another system that has not yet been setup that
116	I need to figure this out for - and that one won't likely have Internet
117	access at all, so the proxy issue doesn't matter.
118
119	Thanks!
120
121	Ben
122	--
123	gentoo-user@l.g.o mailing list

Report Message

Find on MARC Find on Google Groups