View previous topic :: View next topic |
Author |
Message |
sawanv Apprentice
Joined: 05 Dec 2002 Posts: 238
|
Posted: Sat Jul 05, 2003 11:49 am Post subject: finding outdated packages with empahsis on security |
|
|
Hello all.
Is there any way of getting portage (or any other tool) to tell me which of the packages installed on my box are out of date-- security wise i.e. that my version has some bug which has been discovered and the advisory/update posted? Or just that is bad security wise and then I can go find an update if it exists?
Thanks
Sawan _________________ Eir kahen "chalo ghar jayen",
Bir kahen "chalo ghar jayen",
Phatte kahen "chalo ghar jayen",
Cartman kahen....."Screw you guys, I am going home !!! " |
|
Back to top |
|
|
Deathwing00 Bodhisattva
Joined: 13 Jun 2003 Posts: 4087 Location: Dresden, Germany
|
Posted: Sat Jul 05, 2003 12:15 pm Post subject: |
|
|
First make then and you'll see what packages need updating. To update them, just |
|
Back to top |
|
|
slartibartfasz Veteran
Joined: 29 Oct 2002 Posts: 1462 Location: Vienna, Austria
|
Posted: Sat Jul 05, 2003 1:27 pm Post subject: |
|
|
security updates are handled like normal updates as soon as they become available. to get information about the type of the security flaw, take a look at the News&Anouncements section of the forum or subscribe to the gentoo weekly newsletter. _________________ To an engineer the glass is neither half full, nor half empty - it is just twice as big as it needs to be. |
|
Back to top |
|
|
sawanv Apprentice
Joined: 05 Dec 2002 Posts: 238
|
Posted: Tue Jul 08, 2003 8:57 am Post subject: |
|
|
Hello All.
Ummm..I was more like looking for something to tell me that some package is out-of-date security wise. I dont necessarily want to update world (bandwidth, etc).
Guess if there is no other way then might as well have to scan the security announcements page and match with my packages.
Thanks.
Sawan _________________ Eir kahen "chalo ghar jayen",
Bir kahen "chalo ghar jayen",
Phatte kahen "chalo ghar jayen",
Cartman kahen....."Screw you guys, I am going home !!! " |
|
Back to top |
|
|
quattro Tux's lil' helper
Joined: 22 Jan 2003 Posts: 80 Location: Olathe, Kansas
|
Posted: Fri Jul 18, 2003 7:10 am Post subject: |
|
|
I have to agree with sawanv, when a user types emerge -pu world, there needs to be a way to indicate that a package needs to be updated because of a security fix verses a general update. This could be as simple as adding a red S to the output to indicate a security update, i.e.
Quote: |
[ebuild US] dev-util/intltool-0.26 [0.25]
|
When a user sees a line like that, they would instantly know to take that update seriously.
One one hand, everyone wants their systems to be secure, but all too often security is compromised because people don't have the time or knowledge to search for and apply security updates. The ISS worm had as large an impact as it did because many sysadmins didn't realize there was a security update that fixed that hole.
This feature would only make portage and Gentoo much more secure. |
|
Back to top |
|
|
sawanv Apprentice
Joined: 05 Dec 2002 Posts: 238
|
Posted: Sat Jul 19, 2003 6:05 am Post subject: |
|
|
This is what I have been thinking about as a temporary solution for this problem:
Maintain a file of packages which have security advisories issued against them. This file could be updated often (maybe once a week after the GWN).
Write a small script which gets this file and compares the packages listed in it against the ones installed on your system. If it finds something in your system that needs updating, it notifies you. Could also have optional features like auto update, etc.
What I need to know is that do the security-upgraded packages have a different package number than the installed unsecure ones?
Thanks for you thoughts.
Sawan _________________ Eir kahen "chalo ghar jayen",
Bir kahen "chalo ghar jayen",
Phatte kahen "chalo ghar jayen",
Cartman kahen....."Screw you guys, I am going home !!! " |
|
Back to top |
|
|
pjp Administrator
Joined: 16 Apr 2002 Posts: 20067
|
Posted: Sat Jul 19, 2003 10:39 pm Post subject: |
|
|
Adding a "security updates" feature to portage has been discussed numerous times. If I'm not mistaken, the developers have it on the list of things to do. I'm not aware of any time frame for implementation.
In the meantime, I highly recommend subscribing to the gentoo-announce mailing list. The list is pretty low volume and includes the GLSA announcements.
While we try to post the announcements to the forum, we aren't always able to do so in a timely manner. I could be mistaken, but there may have even been a couple that weren't posted. |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9523 Location: beyond the rim
|
Posted: Tue Jul 29, 2003 6:04 pm Post subject: |
|
|
I've written a small prototype for checking GLSA. It is a python script, not integrated into portage (but it uses portage for checking and fixing). The biggest problem with it at the moment is that it requires an XML form of the GLSA and so far I've only transformed one. If anyone wants to check it out, the code, DTD and sample GLSA are available on http://gentoo.devel-net.org/glsa (*.py are the codefiles). It lacks some features and is undocumented at the moment, but I'm going to change that in the next few days. But I'd like to get some feedback on the idea. |
|
Back to top |
|
|
|