Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
glsa-check
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 478
Location: Somewhere in Denmark

PostPosted: Thu Jun 15, 2017 1:50 pm    Post subject: glsa-check Reply with quote

Is running glsa-check 'worth it' on an updated system?

I can't recal seeing glsa-check ever wanting to update any packages on my system.

Ie. my normal update procedure is:
Code:
emerge -uvaDUt --with-bdeps=y @world
emerge -vac
revdep-rebuild
glsa-check -f $(glsa-check -t all)
revdep-rebuild
eclean -d distfiles
cfg-update -vu


The 2nd revdep-rebuild is there if glsa-check actually does anything - but as said, never seen it report any GLSAs for me.
Back to top
View user's profile Send private message
Telemin
l33t
l33t


Joined: 25 Aug 2005
Posts: 734
Location: Glasgow, UK

PostPosted: Thu Jun 15, 2017 4:28 pm    Post subject: Reply with quote

How long is a piece of string? It all depends on your needs. I have servers that I look after. They all email me a daily "health report" which include the usual load stats, fail2ban stats, and any warning output from glsa-check, smartd, my log checker, backup scripts etc. I do from time to time get glsa notifications, so for me it is worth it.

Do I ever run it on my desktop or laptop? no, there it isn't worth it.

I'm afraid You have to decide for yourself what your level of risk is and the appropriate level of action to take against it.

-Telemin-
_________________
The Geek formerly known as -Freestyling-
When you feel your problem has been solved please add [Solved] to the topic title.
Please adopt an unanswered post
Back to top
View user's profile Send private message
mvaterlaus
Apprentice
Apprentice


Joined: 01 Oct 2010
Posts: 204
Location: Switzerland

PostPosted: Thu Jun 15, 2017 8:30 pm    Post subject: Reply with quote

I agree with Telemin.

I also do run it on all my servers, since I don't want to update the whole servers every week. I do a full update all 3-6 months, exept for security updates. If you only want to do security updates, run
Code:
 emerge -av @security


Of course, you have to update your portage tree first to get new GLSA's. I don't know any other way to receive them.

Also, there is a check for Nagios / Icinga, so you can monitor your servers or VM's.

Code:
net-analyzer/nagios-check_glsa2


I do not run it on my desktops.

Cheers

madmat
_________________
For calming down your eyes or clearing your mind: www.patrickwehli.ch
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2659

PostPosted: Fri Jun 16, 2017 6:43 am    Post subject: Reply with quote

mvaterlaus wrote:
If you only want to do security updates, run
Code:
 emerge -av @security

What is @security? I've never seen it before. Which package provides it?
Back to top
View user's profile Send private message
Syl20
Guru
Guru


Joined: 04 Aug 2005
Posts: 564
Location: France

PostPosted: Fri Jun 16, 2017 7:41 am    Post subject: Reply with quote

AFAIK glsa-check alerts on packages that have security holes and aren't updated. If you did update your whole system before running it, it should never say anything. So I think you could remove this check in your procedure.

You could also replace revdep-rebuild by emerge @preserved-rebuild.
Back to top
View user's profile Send private message
mvaterlaus
Apprentice
Apprentice


Joined: 01 Oct 2010
Posts: 204
Location: Switzerland

PostPosted: Fri Jun 16, 2017 7:48 am    Post subject: Reply with quote

@security is a set of packages, like @world, which contains all packages with security fixes. I've read about it in the forums some time ago, but can't find it in any man page.
_________________
For calming down your eyes or clearing your mind: www.patrickwehli.ch
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2659

PostPosted: Sat Jun 17, 2017 1:31 pm    Post subject: Reply with quote

Syl20 wrote:
AFAIK glsa-check alerts on packages that have security holes and aren't updated.

One example:
There are two months between.package availability and glsa.
Isn't there a tool evaluating these bugs for affected package versions and comparing them with entries in /var/db/pkg/?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum