View previous topic :: View next topic |
Author |
Message |
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Sat Mar 13, 2004 11:48 am Post subject: portage GLSA integration (aka `emerge security`) |
|
|
The first public version of the upcoming GLSA integration code has been released in gentoolkit-0.2.0_pre7. Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml before using it and again before reporting any bugs (especially the section about known bugs).
Please bear in mind that this script has the purpose to test the GLSA system for general problems and has not all features of the final implementation. |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Mon Mar 15, 2004 8:24 pm Post subject: |
|
|
This is minor, so not sure if it is worth reporting as a bug...
glsa-check -d doesn't like it if . is used instead of - in the GLSA number (200402.02 vs. 200402-02)
Code: | # glsa-check -d 200402.02
[snip]
Traceback (most recent call last):
File "/usr/bin/glsa-check", line 152, in ?
myglsa = Glsa(myid, glsaconfig)
File "/usr/lib/gentoolkit/pym/glsa.py", line 326, in __init__
self.read()
File "/usr/lib/gentoolkit/pym/glsa.py", line 341, in read
self.parse(urllib.urlopen(myurl))
File "/usr/lib/python2.3/urllib.py", line 76, in urlopen
return opener.open(url)
File "/usr/lib/python2.3/urllib.py", line 181, in open
return getattr(self, name)(url)
File "/usr/lib/python2.3/urllib.py", line 410, in open_file
return self.open_local_file(url)
File "/usr/lib/python2.3/urllib.py", line 420, in open_local_file
raise IOError(e.errno, e.strerror, e.filename)
IOError: [Errno 2] No such file or directory: '/data/portage/metadata/glsa/glsa-200402.02.xml' |
By the way... under what should bugs for this be filed? _________________ Quis separabit? Quo animo? |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Mon Mar 15, 2004 10:15 pm Post subject: |
|
|
Hmm, guess I'll have to add a few parameter syntax checks. Bugs should go under Portage Development/Tools (and assign them genone@gentoo.org) |
|
Back to top |
|
|
sploo22 n00b
Joined: 21 Aug 2003 Posts: 20 Location: Cayman Brac, Cayman Islands
|
Posted: Mon Mar 22, 2004 11:02 pm Post subject: |
|
|
How about this:
Code: | $ glsa-check -p all
WARNING: This tool is completely new and not very tested, so it should not be
used on production systems. It's mainly a test tool for the new GLSA release
and distribution system, it's functionality will later be merged into emerge
and equery.
Please read http://www.gentoo.org/proj/en/portage/glsa-integration.xml
before using this tool AND before reporting a bug.
Traceback (most recent call last):
File "/usr/bin/glsa-check", line 152, in ?
myglsa = Glsa(myid, glsaconfig)
File "/usr/lib/gentoolkit/pym/glsa.py", line 326, in __init__
self.read()
File "/usr/lib/gentoolkit/pym/glsa.py", line 341, in read
self.parse(urllib.urlopen(myurl))
File "/usr/lib/gentoolkit/pym/glsa.py", line 359, in parse
raise GlsaTypeException(self.DOM.doctype.systemId)
glsa.GlsaTypeException: wrong DOCTYPE: http://www.gentoo.org/dtd/glsa-old.dtd |
Sorry to add stress to your life... I thought GLSA's with the old DTD were ignored? _________________ This signature will self-destruct in 10 seconds. Close browser window now to avoid permanent monitor damage. |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Wed Mar 24, 2004 4:58 am Post subject: |
|
|
They are ... in most cases. I missed one case while adding the exception handler. |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Thu Apr 01, 2004 9:49 am Post subject: |
|
|
Ok, new glsa-check including some bugfixes and enhancements in gentoolkit-0.2.0_pre8 |
|
Back to top |
|
|
pwnell n00b
Joined: 02 Mar 2003 Posts: 29 Location: South Africa
|
Posted: Fri Apr 02, 2004 4:43 pm Post subject: A hint for people when getting DOCTYPE errors |
|
|
I have been troubleshooting this error for quite some time now:
invalid GLSA: 200312-02 (error message was: wrong DOCTYPE: None)
when trying to run glsa-check -l. I have the latest one (gentoolkit-0.2.0_pre8 I think). The reason for that is I used to have python-2.2.3-r1 installed, whereas it works if I upgraded that to the latest python-2.3.3 |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Sat Apr 03, 2004 1:54 pm Post subject: |
|
|
Only for that GLSA or for others too ?
I haven't really tested glsa-check with different python versions but it doesn't use any 2.3 features, so it shouldn't matter. |
|
Back to top |
|
|
dr_strange Guru
Joined: 16 Apr 2002 Posts: 480 Location: Cambridge, UK
|
Posted: Thu Apr 08, 2004 8:03 pm Post subject: |
|
|
Works fine here, as far as I can tell. _________________ shine on,
dr_strange
Set the Controls for the Heart of Gentoo
http://magenta.linuxforum.hu |
|
Back to top |
|
|
Carlo Developer
Joined: 12 Aug 2002 Posts: 3356
|
Posted: Thu Apr 08, 2004 9:09 pm Post subject: |
|
|
O.k., it's a bit destructive, but glsa-check -l * causes a nice traceback. A check for valid params would be fine.
Carlo _________________ Please make sure that you have searched for an answer to a question after reading all the relevant docs. |
|
Back to top |
|
|
pwnell n00b
Joined: 02 Mar 2003 Posts: 29 Location: South Africa
|
Posted: Fri Apr 09, 2004 9:19 am Post subject: |
|
|
Genone wrote: | Only for that GLSA or for others too ?
I haven't really tested glsa-check with different python versions but it doesn't use any 2.3 features, so it shouldn't matter. |
For all of them.... - both 2003 and 2004 versions |
|
Back to top |
|
|
Cheesefoam Tux's lil' helper
Joined: 02 Jan 2003 Posts: 89
|
Posted: Thu May 06, 2004 6:56 pm Post subject: |
|
|
Is it possible for the future "emerge security" to leave some sort of tag (a special file in a directory, for example), when a run-time service such as Apache is updated?
That way, it would be possible to simply test for the existence of said file with a script in a cron job to see if that package has been updated as a result of a GLSA, and to then restart it automatically. |
|
Back to top |
|
|
jsaints n00b
Joined: 28 Nov 2003 Posts: 46
|
Posted: Wed May 19, 2004 12:21 am Post subject: |
|
|
I have set up a binary host for my internal network.
Are there plans to allow emerge security to use binary packages from package server? |
|
Back to top |
|
|
Kalin Tux's lil' helper
Joined: 22 Dec 2002 Posts: 130 Location: Germany
|
Posted: Wed Jun 16, 2004 5:32 am Post subject: Beautifying output |
|
|
I was trying my first Python script, but...
please see the patch in https://bugs.gentoo.org/show_bug.cgi?id=47953 and test it.
Any comments are welcome (here or in person or in the bug). |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Wed Jun 16, 2004 10:43 pm Post subject: |
|
|
I already have colour support implemented in CVS, just didn't get around to make a new release. For the other part of the patch, it would IMO be better to make a new class "affected" (in addition to "new" and "all") so that it works with all commands.
Btw, I'm sorry that it probably won't be integrated in portage-2.0.51, but I want to use the new API which isn't ready yet as it makes the code much cleaner. If anyone wants to create a patch for the current emerge code I'll be happy to review it, but it won't be in 2.0.51 either as we are short before releasing it and don't want to introduce new major features/bugs (it's already a big change as it is). |
|
Back to top |
|
|
Kalin Tux's lil' helper
Joined: 22 Dec 2002 Posts: 130 Location: Germany
|
Posted: Thu Jun 17, 2004 4:33 am Post subject: |
|
|
Ok, didn't llok in the CVS :-(
Implementing a new class (Affected) will be really better solution, take your time. |
|
Back to top |
|
|
dmouritsendk Tux's lil' helper
Joined: 22 Jun 2002 Posts: 138 Location: Denmark
|
Posted: Fri Jun 18, 2004 12:29 am Post subject: |
|
|
I've tried testing out gentoolkit-0.2.0_pre8 and i just wanted to say glsa-check has worked great here.
Great work, can't wait for it to get intergrated into portage |
|
Back to top |
|
|
Lance Tux's lil' helper
Joined: 02 Apr 2004 Posts: 125
|
Posted: Mon Jun 21, 2004 12:04 pm Post subject: |
|
|
I am not sure if it's right for this thread, but when I run
, it emerge kde-base/kdelibs-3.2.2-r1 over and over again. Should I run with some other option or it's a bug?
Thanks! _________________ choose Gentoo, choose freedom |
|
Back to top |
|
|
ianneub Tux's lil' helper
Joined: 29 May 2003 Posts: 90 Location: HB, CA, USA
|
Posted: Tue Jul 06, 2004 9:07 pm Post subject: |
|
|
I'm running on a somewhat dated Gentoo install (installed in 2004-02) and when I run:
I get no glsa listings. Is there something that must be in my profile or some other Portage file somehwere? All the glsa's exist in /usr/portage/metadata/glsa/
This same command works fine on a machine I made last week.
Thanks! _________________ There's nothing to see here, move along... |
|
Back to top |
|
|
Vulpes_Vulpes Apprentice
Joined: 10 Dec 2003 Posts: 264 Location: Amsterdam
|
Posted: Tue Jul 06, 2004 9:36 pm Post subject: |
|
|
Worked like a charm here. This is a really usefull tool! Tnx for all the effort!!! |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Thu Jul 08, 2004 12:07 am Post subject: |
|
|
Lance: sorry, no idea what could be wrong there.
ianneub: any chance you're using python-2.2 or pyxml on that box ? Both are known to make problems with glsa.py. |
|
Back to top |
|
|
jpc82 Guru
Joined: 09 Mar 2003 Posts: 326
|
Posted: Thu Jul 08, 2004 12:27 pm Post subject: |
|
|
Here is my problem.
I had a server running gentoo-dev-sources-2.6.3 and when I saw the multiple kernel vulnerabilies I desided to upgrade to the latest version. So I merged gentoo-dev-sources-2.6.7-r8, build the kernel, installed and booted to it. However, glda-check still reports that I am vulnerable. So I do a glsa-check -p, and now it wants to downgrade me to gentoo-dev-sources-2.6.7-r1.
Why is this? As far as I can see from the glsa all >=gentoo-dev-sources-2.6.7 are fine. |
|
Back to top |
|
|
Lance Tux's lil' helper
Joined: 02 Apr 2004 Posts: 125
|
Posted: Thu Jul 08, 2004 1:41 pm Post subject: |
|
|
Genone:
Is there anything I can do to help find a solution? _________________ choose Gentoo, choose freedom |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Thu Jul 08, 2004 2:26 pm Post subject: |
|
|
Lance: first idea would be to send me the output of (in a private message, no need to clutter the thread).
jpc82: I'll look at this when I get home, but I think it's related to SLOTs. DO you have the old version still installed? |
|
Back to top |
|
|
jpc82 Guru
Joined: 09 Mar 2003 Posts: 326
|
Posted: Thu Jul 08, 2004 2:39 pm Post subject: |
|
|
The compiled kernel is no longer present, however I have not done a emerge -C OLD_KERNEL, and the kernel source tree is still there. |
|
Back to top |
|
|
|