[gentoo-dev] RFC: security updates only? (security-1.0.ebuild)

[Karsten Schulz <kaschu@t800.ping.de>]

Hi all, 

At bugs.gentoo.org I attached an tarball with my version of an ebuild, which 
automatically will install *only* those security updates, which are relevant 
to your system (see <http://bugs.gentoo.org/show_bug.cgi?id=5835>).

The trick is the following code in the ebuild:
DEPEND="
$(has_version 'nfs-utils' && echo '>=nfs-utils-1.0.4')
$(has_version 'gnupg' && echo '>=gnupg-1.2.2-r1')
"
this will create dependencies on the fly: Only if you have nfs-utils 
installed, the new version with the bugfix will appear as a dependency. Same 
with gnupg. 
There is no need for new 'emerge' options or KEYWORDS.

For his own system, the admin has to type in only:
emerge rsync
emerge security

or, if he is interested in this stuff:
emerge rsync
emerge -p security
and followed by 'emerge security', if necessary.

The only drawback at the moment is, that there is no automated way to generate 
the value of the DEPEND variable by the GLSAs. Maybe here can Marius' XML 
format help. With GLSAs in such a format, a simple script can generate the 
security-ebuilds, the postings at forums.gentoo.org and the mails in 
gentoo-announce! I would love to hear from some core developers and others 
what you think (is it critical to use an ebuild, which does not compile and 
install its own sourcecode, because it has none?).

I know, that this can (and must) be improved in the future (more information, 
references to advisories, signing the ebuild, a.s.o.), but at the moment, 
this way seems to me to be an easy one, isn't it?

Comments?

Karsten


--
gentoo-dev@gentoo.org mailing list