finding outdated packages with empahsis on security

sawanv · Apprentice Joined: 05 Dec 2002 Posts: 238

Hello all.

Is there any way of getting portage (or any other tool) to tell me which of the packages installed on my box are out of date-- security wise i.e. that my version has some bug which has been discovered and the advisory/update posted? Or just that is bad security wise and then I can go find an update if it exists?

Thanks

Sawan
_________________
Eir kahen "chalo ghar jayen",
Bir kahen "chalo ghar jayen",
Phatte kahen "chalo ghar jayen",
Cartman kahen....."Screw you guys, I am going home !!! "

Deathwing00 · Posted: Sat Jul 05, 2003 12:15 pm Post subject:

First make

slartibartfasz · Posted: Sat Jul 05, 2003 1:27 pm Post subject:

security updates are handled like normal updates as soon as they become available. to get information about the type of the security flaw, take a look at the News&Anouncements section of the forum or subscribe to the gentoo weekly newsletter.
_________________
To an engineer the glass is neither half full, nor half empty - it is just twice as big as it needs to be.

sawanv · Apprentice Joined: 05 Dec 2002 Posts: 238

Hello All.

Ummm..I was more like looking for something to tell me that some package is out-of-date security wise. I dont necessarily want to update world (bandwidth, etc).

Guess if there is no other way then might as well have to scan the security announcements page and match with my packages.

Thanks.
Sawan
_________________
Eir kahen "chalo ghar jayen",
Bir kahen "chalo ghar jayen",
Phatte kahen "chalo ghar jayen",
Cartman kahen....."Screw you guys, I am going home !!! "

quattro · Posted: Fri Jul 18, 2003 7:10 am Post subject:

I have to agree with sawanv, when a user types emerge -pu world, there needs to be a way to indicate that a package needs to be updated because of a security fix verses a general update. This could be as simple as adding a red S to the output to indicate a security update, i.e.

sawanv · Apprentice Joined: 05 Dec 2002 Posts: 238

This is what I have been thinking about as a temporary solution for this problem:

Maintain a file of packages which have security advisories issued against them. This file could be updated often (maybe once a week after the GWN).

Write a small script which gets this file and compares the packages listed in it against the ones installed on your system. If it finds something in your system that needs updating, it notifies you. Could also have optional features like auto update, etc.

What I need to know is that do the security-upgraded packages have a different package number than the installed unsecure ones?

Thanks for you thoughts.

Sawan
_________________
Eir kahen "chalo ghar jayen",
Bir kahen "chalo ghar jayen",
Phatte kahen "chalo ghar jayen",
Cartman kahen....."Screw you guys, I am going home !!! "

pjp · Administrator Joined: 16 Apr 2002 Posts: 20067

Adding a "security updates" feature to portage has been discussed numerous times. If I'm not mistaken, the developers have it on the list of things to do. I'm not aware of any time frame for implementation.

In the meantime, I highly recommend subscribing to the gentoo-announce mailing list. The list is pretty low volume and includes the GLSA announcements.

While we try to post the announcements to the forum, we aren't always able to do so in a timely manner. I could be mistaken, but there may have even been a couple that weren't posted.

Genone · Posted: Tue Jul 29, 2003 6:04 pm Post subject:

I've written a small prototype for checking GLSA. It is a python script, not integrated into portage (but it uses portage for checking and fixing). The biggest problem with it at the moment is that it requires an XML form of the GLSA and so far I've only transformed one. If anyone wants to check it out, the code, DTD and sample GLSA are available on http://gentoo.devel-net.org/glsa (*.py are the codefiles). It lacks some features and is undocumented at the moment, but I'm going to change that in the next few days. But I'd like to get some feedback on the idea.