[gentoo-portage-dev] GLEP 14 progress report

[gentoo-portage-dev] GLEP 14 progress report

[Marius Mauch]

[-- Attachment #1: Type: text/plain, Size: 3339 bytes --]

Hi all,

this is a little update about the current progress of GLEP 14 (the
portage GLSA integration).
A few URLs first (most of the stuff is also somewhere in gentoo cvs):

The GLEP itself:
http://www.gentoo.org/proj/en/glep/glep-0014.html

The proposed new release plan for GLSAs:
http://gentoo.devel-net.org/glsa/release-plan

The DTD for future GLSAs (once the system is in place):
http://gentoo.devel-net.org/glsa/glsa.dtd

The userside code (I'm currently updating it and will commit it to cvs
this week, still have to figure out a few things):
http://gentoo.devel-net.org/glsa/glsa.py and glsa-check.py

Also plasmaroo has written a QT based editor which resides in the
gentoo-projects repository, and I've written the beginning of the GLSA
posting script.


If all goes well I think we can enter a first testing stage in 2 or 3
weeks, depend how much time I can donate to this project. If anyone has
a problem with the current plans please tell me ASAP so we can try to
fix it before the system is going live (so far the feedback has been
very positive).
Ok, so what still needs to be done before it can go live?

- the code has to be finished: mostly minor things as proper error
checking, output formatting and stuff like that. I don't expect big
problems here.

- infrastructure setup: as outlined in the release plan there is not
much to do from the infrastructure side, mostly setting up the right
directories and permissions.

- documentation: this is currently lacking, mostly because the code is
still work in progress. While docs are important I think it has to be
postponed until testing stage.

- portage integration: I think people have very different opinions on
this subject, so I'll just present my "vision":
I suggest we do a two-phase rollout. In the first phase the complete
code will be separate from the core portage code, so no direct
integration in emerge. People can use the seperate glsa-check script to
use the new system.
In the second phase we will integrate the basic functionalities of
glsa-check into emerge. Once that step is complete we will have a new
"security" package class beside system and world. There are other
features we could add like a security upgrade indicator or a security
update notification on emerge sync.

There were some concerns that the xml base for this project would
introduce xml code in portage. That's true to some degree: glsa.py which
contains all the backend code for handling the new GLSA format uses the
xml.dom.minidom python module for the parsing. So there is an indirect
import once we add GLSA support to emerge, but the portage code itself
doesn't need any xml code.
Also that module is part of the python package, so no additional
dependencies are added. This leads to another point. To make the system
secure we need gpg for the signature checking. So either we have to add
gpg as a (optional) dependency to portage or do some runtime checks, any
opinions on that issue?

If you have further questions/comments not adressed in this mail please
join #gentoo-security on irc.freenode.net and lets discuss it there or
reply to this mail on the gentoo-dev list.

Marius

-- 
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]