[gentoo-dev] Server / security thing

[gentoo-dev] Server / security thing

[Moilanen Mikko Antero]

Hi

Would it be good idea to make additional cammand "emerge security" to check and upgrade any security things like now "emerge system" upgrades some standard system things?

This would definetly be good for people who maintain servers or for people who maintain workstations or this would just be *good* for people.

Re: [gentoo-dev] Server / security thing

[Evan Read]

> Hi
>
> Would it be good idea to make additional cammand "emerge security" to
> check and upgrade any security things like now "emerge system" upgrades
> some standard system things?

Well, # emerge world should update everything you have to the latest, and
therefore security fixed, ebuilds.

To have emerge check for the security of a system would be a lot of work. 
Better to use third party tools like nessus
(http://www.gentoo.org/packages/net-analyzer/nessus.html).

> This would definetly be good for people who maintain servers or for
> people who maintain workstations or this would just be *good* for
> people.

I think that having a "stable" set of packages which represents a released
version + fixes would be good for those people.  Managing security cant
be that automatic.

Thanks.

Evan.

Re: [gentoo-dev] Server / security thing

[Chris Sykes]

[-- Attachment #1: Type: text/plain, Size: 1066 bytes --]

On Wed, Sep 04, 2002 at 11:05:40PM +0300, Moilanen Mikko Antero wrote:
> Hi
> 
> Would it be good idea to make additional cammand "emerge security" to check and upgrade any security things like now "emerge system" upgrades some standard system things?
> 
> This would definetly be good for people who maintain servers or for people who maintain workstations or this would just be *good* for people.
> 

I agree that this would be useful functionality.  I think that the best way to
implement something like this is _not_ to label security fix ebuilds as such,
but to flag the ebuilds that are vunerable.

e.g. (off the top of my head)

For each package create a file that lists the ebuild versions that were found
to have security issues e.g.
/usr/portage/catagory/package/security

Using a method like this an 'emerge security' could check all installed
packages against the versions in the security files and update them if needed.

All this would mean more work for the poor souls maintaining the portage tree
though.

-- 
Chris Sykes


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Server / security thing

[Mikko Moilanen]

On Thu, 5 Sep 2002 17:57:36 +1000 (EST)
"Evan Read" <eread@freeshell.org> wrote:

> Well, # emerge world should update everything you have to the latest, and
> therefore security fixed, ebuilds.

Yes, its good. But some people would not want that emerge upgrades all, they only want that upgrades software which had some security hole found.

In servers this would be important, because there is not so much need for constant upgrades unless they are security fixes. This could be important also in workstations which have to use versions installed, or which are too important to work and not to broke by emerge world.
 
> To have emerge check for the security of a system would be a lot of work. 
> Better to use third party tools like nessus
> (http://www.gentoo.org/packages/net-analyzer/nessus.html).

I did not mean that kind of security check. I mean that "emerge security" would check if ssh or whatever software is version which is considered to be safe.
  
> I think that having a "stable" set of packages which represents a released
> version + fixes would be good for those people.  Managing security cant
> be that automatic.

Yes, but computers are supposed to make life easier also. By adding this "emerge security" feature to portage peoples life would be easier and Gentoo would be even better. If "emerge system" feature is possible, then "emerge security" must be possible too.

This is enchantment and fits to Gentoo perfectly. There is no need for "stable" and "unstable". But there is need for automating security updates.
-- 

http://baldor.ath.cx:2000

[gentoo-dev] Re: Server / security thing

[Thomas de Grenier de Latour]

On Wed, 04 Sep 2002 23:05:40 +0300
Moilanen Mikko Antero <Mikko.Moilanen@mailigw1.mikkeliamk.fi> wrote:

> Hi
> 
> Would it be good idea to make additional cammand "emerge security" to
> check and upgrade any security things like now "emerge system" 
> upgrades some standard system things?
> 
> This would definetly be good for people who maintain servers or for
> people who maintain workstations or this would just be *good* for
> people.

It seems that there are several users waits in that sens:
http://forums.gentoo.org/viewtopic.php?t=10028&highlight=security
http://forums.gentoo.org/viewtopic.php?t=10879&highlight=security
http://forums.gentoo.org/viewtopic.php?t=13524&highlight=security
...

-- Thomas.

Re: [gentoo-dev] Server / security thing

[Tom Prado]

On Fri, 6 Sep 2002, Chris Sykes wrote:

> On Wed, Sep 04, 2002 at 11:05:40PM +0300, Moilanen Mikko Antero wrote:
> > Hi
> > 
> > Would it be good idea to make additional cammand "emerge security" to check and upgrade any security things like now "emerge system" upgrades some standard system things?
> > 
> > This would definetly be good for people who maintain servers or for people who maintain workstations or this would just be *good* for people.
> > 
> 
> I agree that this would be useful functionality.  I think that the best way to
> implement something like this is _not_ to label security fix ebuilds as such,
> but to flag the ebuilds that are vunerable.
> 
> e.g. (off the top of my head)
> 
> For each package create a file that lists the ebuild versions that were found
> to have security issues e.g.
> /usr/portage/catagory/package/security
> 
> Using a method like this an 'emerge security' could check all installed
> packages against the versions in the security files and update them if needed.
> 
> All this would mean more work for the poor souls maintaining the portage tree
> though.
> 
> -- 
> Chris Sykes
> 
> 

Either this or have a /usr/portage/profiles/package.security file that has 
a list of minimum package versions to use.  This file can be modified when 
there is a security announcement.  I.e. for the latest gaim security 
announcement, a line can be added to it as such:


>=net-im/gaim-0.59.1 


emerge security would check this file against all installed packages to 
see if any need updating.  It'd be up to whomever provides to new ebuild 
to update the security file as well.


Tom Prado

Re: [gentoo-dev] Server / security thing

[Evan Read]

On Sat, 7 Sep 2002 04:57, Tom Prado wrote:
> On Fri, 6 Sep 2002, Chris Sykes wrote:
> > On Wed, Sep 04, 2002 at 11:05:40PM +0300, Moilanen Mikko Antero wrote:
> > > Hi
> > >
> > > Would it be good idea to make additional cammand "emerge security" to
> > > check and upgrade any security things like now "emerge system" upgrades
> > > some standard system things?
> > >
> > > This would definetly be good for people who maintain servers or for
> > > people who maintain workstations or this would just be *good* for
> > > people.
> >
> > I agree that this would be useful functionality.  I think that the best
> > way to implement something like this is _not_ to label security fix
> > ebuilds as such, but to flag the ebuilds that are vunerable.
> >
> > e.g. (off the top of my head)
> >
> > For each package create a file that lists the ebuild versions that were
> > found to have security issues e.g.
> > /usr/portage/catagory/package/security
> >
> > Using a method like this an 'emerge security' could check all installed
> > packages against the versions in the security files and update them if
> > needed.
> >
> > All this would mean more work for the poor souls maintaining the portage
> > tree though.
> >
> > --
> > Chris Sykes
>
> Either this or have a /usr/portage/profiles/package.security file that has
> a list of minimum package versions to use.  This file can be modified when
> there is a security announcement.  I.e. for the latest gaim security
>
> announcement, a line can be added to it as such:
> >=net-im/gaim-0.59.1
>
> emerge security would check this file against all installed packages to
> see if any need updating.  It'd be up to whomever provides to new ebuild
> to update the security file as well.
>

Ok, I finally see where people are going with this.  I do not see why a 
separate "security" package is neccessary. Having a "release + major fixes + 
security" set of packages should be built into emerge.

There has been talk about "KEYWORDS".  Couldn't packages on the day of the 1.4 
release be tagged "release" and updates to the "release" set be tagged to 
"updates" or "security".  This information could be part of a 
/usr/portage/profiles/package.updates1.4 that could be brought down as part 
of an emerge update or something.

People that want the latest and greatest could change a configuration line in 
rc.conf to allow it to happen (by default, emerge will track 
release+security).

Or ask mention it in the install docs (Workstations will want to enable 
"latest" packages).

Just for thought.

Evan.