[gentoo-dev] security updates only?

[gentoo-dev] security updates only?

[Klavs Klavsen]

[-- Attachment #1: Type: text/plain, Size: 1204 bytes --]

Hi guys,

I know there has been several requests (also from me) asking for a way
to do security updates only.

Something like emerge -s world --nodeps (should update every package
that has had a GLSA for it if the version matches the GLSA(s)) would
IMHO be very cool and very much needed. Then I bet many people would set
that to update automagically - which should be possible - would help
security a whole lot :)

I'm no python programmer (atleast not yet - a frind of mine tells me
it's quite easy, and a cool language :) - and I don't know how well
portage is structured, but I think this security thing could easily be
accomplished, if the GLSA's were added to the tree (why shouldn't they -
they don't take up much space, and why should people have to go to the
webpage, or receive an email to get notified?).

What do you think?
-- 
Regards,
Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk
PGP: 7E063C62/2873 188C 968E 600D D8F8  B8DA 3D3A 0B79 7E06 3C62
See my new CMS Hosting Service at http://www.VirkPaaNettet.dk

Working with Unix is like wrestling a worthy opponent. 
Working with windows is like attacking a small whining child 
who is carrying a .38.				

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] security updates only?

[Marius Mauch]

On 13 Aug 2003 07:59:23 +0200
Klavs Klavsen <kl@vsen.dk> wrote:

> Hi guys,
> 
> I know there has been several requests (also from me) asking for a way
> to do security updates only.
> 
> Something like emerge -s world --nodeps (should update every package
> that has had a GLSA for it if the version matches the GLSA(s)) would
> IMHO be very cool and very much needed. Then I bet many people would
> set that to update automagically - which should be possible - would
> help security a whole lot :)
> 
> I'm no python programmer (atleast not yet - a frind of mine tells me
> it's quite easy, and a cool language :) - and I don't know how well
> portage is structured, but I think this security thing could easily be
> accomplished, if the GLSA's were added to the tree (why shouldn't they
> - they don't take up much space, and why should people have to go to
> the webpage, or receive an email to get notified?).
> 
> What do you think?

I wrote a small prototype for that, but it needs support from the
GLSA guys as it is very difficult to get the GLSA from a script as they
are only published at different mailing lists and the forums. Another
issue is that my script works with XML versions of GLSA, so someone
needs to convert the plaintext versions.
Code, DTD and sample XML GLSA are available at
http://gentoo.devel-net.org/glsa/ .

Marius

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] security updates only?

[Tobias Sager]

[-- Attachment #1: Type: text/plain, Size: 889 bytes --]

On 15.08.03 07:31 Marius Mauch wrote:

> I wrote a small prototype for that, but it needs support from the
> GLSA guys as it is very difficult to get the GLSA from a script as
> they are only published at different mailing lists and the forums.
> Another issue is that my script works with XML versions of GLSA, so
> someone needs to convert the plaintext versions.
> Code, DTD and sample XML GLSA are available at
> http://gentoo.devel-net.org/glsa/ .

Very nice. I like the idea of automagical security updates.

It should be easy (and I could do it in .sh or .pl, but not .py; shall
I?) to write a script which converts the plain, unmodified GLSAs to your
parsable XML format.

Then maybe a GLSA-portage category would be nice? (Or does this exist
already?)

Regards
Tobias

-- 
GPG-Key: 0xEF37FF28 (1024/4096 - DSA/ELG-E)
Fingerprint: 3C4B 155F 2621 CEAF D3A6 0CCB 937C 9597 EF37 FF28

[-- Attachment #2: Type: application/pgp-signature, Size: 196 bytes --]

Re: [gentoo-dev] security updates only?

[Marius Mauch]

On Fri, 15 Aug 2003 09:07:01 +0200
Tobias Sager <moixa@gmx.ch> wrote:

> On 15.08.03 07:31 Marius Mauch wrote:
> 
> > I wrote a small prototype for that, but it needs support from the
> > GLSA guys as it is very difficult to get the GLSA from a script as
> > they are only published at different mailing lists and the forums.
> > Another issue is that my script works with XML versions of GLSA, so
> > someone needs to convert the plaintext versions.
> > Code, DTD and sample XML GLSA are available at
> > http://gentoo.devel-net.org/glsa/ .
> 
> Very nice. I like the idea of automagical security updates.
>
> It should be easy (and I could do it in .sh or .pl, but not .py; shall
> I?) to write a script which converts the plain, unmodified GLSAs to
> your parsable XML format.

Yes, that's not the main problem. The major issue is that there is no
HTTP or FTP server at the moment where I can grab the GLSA and I somehow
don't like the idea of subscribing a script to mailing lists and posting
the result on some unoffical server. Parsing the forum announcements is
IMO not an option at all.
I sent a mail to aliz about it but didn't get a reply yet :(

> Then maybe a GLSA-portage category would be nice? (Or does this exist
> already?)

AFAIK portage knows nothing about GLSA stuff. It would be nice if the
GLSA were distributed on emerge sync.

Marius

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] security updates only?

[Karsten Schulz]

Am Freitag, 15. August 2003 07:31 schrieb Marius Mauch:
> On 13 Aug 2003 07:59:23 +0200
> http://gentoo.devel-net.org/glsa/ .

I like the basic idea to maintain glsa information in portage and introduce a 
standard format for it (xml could be ok).

How can I support you and how can we go into discussion with the glsa guys?
Unfortunately I am not informed about who tracks security related information 
and writes GLSAs. I definitely could spend time regulary for this matter!

Karsten


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] security updates only?

[Tobias Sager]

[-- Attachment #1: Type: text/plain, Size: 779 bytes --]

On 15.08.03 19:30 Karsten Schulz wrote:

> Am Freitag, 15. August 2003 07:31 schrieb Marius Mauch:
> > On 13 Aug 2003 07:59:23 +0200
> > http://gentoo.devel-net.org/glsa/ .
> 
> I like the basic idea to maintain glsa information in portage and
> introduce a standard format for it (xml could be ok).
> 
> How can I support you and how can we go into discussion with the glsa
> guys? Unfortunately I am not informed about who tracks security
> related information and writes GLSAs. I definitely could spend time
> regulary for this matter!

That would be Daniel Ahlberg <aliz@gentoo.org>, I think.
Maybe we should open a bug to track this?

Regards,
Tobias

-- 
GPG-Key 0xEF37FF28 - 1024/4096 DSA/ELG-E - 16.11.2001
Fingerprint: 3C4B 155F 2621 CEAF D3A6 0CCB 937C 9597 EF37 FF28


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] security updates only?

[Marius Mauch]

On Sat, 16 Aug 2003 01:51:16 +0200
Tobias Sager <moixa@gmx.ch> wrote:

> On 15.08.03 19:30 Karsten Schulz wrote:
> 
> > I like the basic idea to maintain glsa information in portage and
> > introduce a standard format for it (xml could be ok).
> > 
> > How can I support you and how can we go into discussion with the
> > glsa guys? Unfortunately I am not informed about who tracks security
> > related information and writes GLSAs. I definitely could spend time
> > regulary for this matter!
> 
> That would be Daniel Ahlberg <aliz@gentoo.org>, I think.
> Maybe we should open a bug to track this?

Well, I already made a comment on bug 5835 and I also sent a mail to
aliz a few weeks ago, no reply so far :(

Marius

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] security updates only?

[Karsten Schulz]

Am Samstag, 16. August 2003 02:20 schrieb Marius Mauch:
> Well, I already made a comment on bug 5835 and I also sent a mail to
> aliz a few weeks ago, no reply so far :(

Another guy, who should be contacted seems to be Nick Jones.
As one can read in the Gentoo Weekly Newsletter from January 27th, 2003
(<http://www.gentoo.org/news/en/gwn/20030127-newsletter.xml>)
GLSAs are going to be integrated into Portage.

I think, an integration of GLSAs needs two basic steps:
1. Make tracking security announcements easier (needs fixed formats, 
communication channels, a.s.o) - Marius did some work here.

2. Integrate the standardized GLSA information into Portage.

Step 2 is imho the critical one. It has to be done without changing too much 
in the Portage system. I don't believe, that it is a wise step to introduce 
new use flags or program options for emerge in this phase.
I wish to find a way to integrate the GLSA information in the current portage 
system without changing too much.

This minute, I wrote a mail to Daniel to get first hand information and to 
make sure, that any effort to bring this topic forward will go the right way.

Did anyone take a look at Marius DTD? Any comments on it?

Karsten








--
gentoo-dev@gentoo.org mailing list