portage GLSA integration (aka `emerge security`)

[quat]

same here. a2ps and violation.

did you manage to solve it gentree?
_________________
a mind is like a parachute, it's better when it's open

[Gentree]

[Gentree]

xfce4 depands xfprint depends a2ps : all versions broken

anyone with xfce4 will not be able to rebuild world.

Bug posted.

all -4.13c* version sandbox all -4.13b fail with malloc error. Borked.
_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86

[Gentree]

[Gentree]

Solved it : https://bugs.gentoo.org/show_bug.cgi?id=79012

Basically a bad ebuild that gets messed up if root locale is set.

HTH
_________________
Linux, because I'd rather own a free OS than steal one that's not worth paying for.
Gentoo because I'm a masochist
AthlonXP-M on A7N8X. Portage ~x86

[Matteo Azzali]

tested now, it report only one vulnerability, and really strange:
200404-08 ask to update my automake..... to the 1.8.5-r1
(I'm using 1.9.x ...... )
I think is some sort of bug, but I can't be sure.
_________________
Every day a new distro comes to birth. Every day a distro "eats" another.
If you're born distro, no matter what, start to run.
---- http://www.linuxprinting.org/ ---- http://tuxmobil.org/

[kallamej]

[Matteo Azzali]

I don't think so. (IMHO) cause
1)emerge -puDt world shows:
none to upgrade.

2) I sync about 1 time every 2-3 days.

3) porthole report of automake:

Installed versions:
Slot 1.8: 1.8.5-r2
Slot 1.5: 1.5
Slot 1.4: 1.4_p6
Slot 1.6: 1.6.3
Slot 1.7: 1.7.9
Slot 1.9: 1.9.4

it lacks 1.8.5-r1 cause there is 1.8.5-r2 that should be compatible and
more updated (but I may be wrong)

EDIT: Thinking on that... couldn't be that the glsa check only for 1.8.5-r1
(precise) and not for 1.8.5* ? And if that, is a wrong "definition" or is
wanted?
_________________
Every day a new distro comes to birth. Every day a distro "eats" another.
If you're born distro, no matter what, start to run.
---- http://www.linuxprinting.org/ ---- http://tuxmobil.org/

[kallamej]

Well, it is a very old one, from before the slotting of automake, and for some reason, 1.8.5-r1 is slotted 1.5. It's probably trying to pull in that one instead of 1.5.
_________________
Please read our FAQ Forum, it answers many of your questions.
irc: #gentoo-forums on irc.libera.chat

[Matteo Azzali]

Thanks, it did. (1.5 -> 1.8.5-r1).
The only problem is now

[kallamej]

Yes, because the automake-wrapper depends on 1.5. The glsa was written for a portage tree that was fundamentally different regarding automake.
_________________
Please read our FAQ Forum, it answers many of your questions.
irc: #gentoo-forums on irc.libera.chat

[acasto]

How does glsa-check handle dependencies different from portage? If I run a glsa-check -p new is will show a couple packages that needs to be updated. However if I then go and plug the affected package into emerge -up it give a different list. Is it better to use glsa-check to gather the list, then use emerge to do the work? or once it's in portage will they work semlessly?

Right now I'm just using:

[jpc82]

I'm confused about what to do to stop glsa-check from reporting automake.

I'm having the same problem as the user above, but I don't understand what he did to solve it, could some one explain it better to me?

[anz]

Dear jpc82

[anz]

[iKiddo]

I'm getting an error when using glsa-check. It works for a while, but then fails:

[iKiddo]

I think I found the problem in /usr/portage/metadata/glsa/glsa-200403-02.xml:

[chashab]

that's a lot of syntax errors. i commend you, i don't have the patience to wade through xml files. however it is slightly alarming that such errors would exist in such abundance. my understanding of glsa is not complete; when such errors are fixed by someone, will my glsa*xml be updated by an emerge --sync or similar?

i'm dropping in my 3rd production server soon and would love for glsa emerge integration to be mature and stable. what's the danger in running glsacheck -f? i haven't been using it on either desktops or servers because of the rather scary warning it emits.

[Genone]

[jpc82]

I noticed that glsa-check does not follow the ARCH that is set.

My system is set to x86, however perl which has a glsa wants to merge a version which is still in ~x86. Is this expected?

[zeveck]

I love glsa-check. Whenever I run emerge -upDv world and I see a list of things to update I really want to find out what the changes are so that I can evaluate whether it is worth updating...but this can take awhile to do and it would be nice to have SECURITY updates flagged in some way.

I take it that eventually glsa will do things like this once it is integrated into portage?

How can I help?

Is there any way to get glsa-check to do something spiffy like e-mail me whenever it detects a new vulnerability for my system?

[Genone]

[zeveck]

My impression is that cron will just e-mail me the output of the cron jobs??

So, for instance, if I put glsa-check -l in cron I'd receive an e-mail every day listing the entire output and have to scour that to see if there was anything new.

What I'd like to do is make it so that I only receive e-mails WHEN there is something new.

[Genone]

Well, you can just make a small wrapper script and use that in cron, something like

[zeveck]

Hmmm....so I wrote this: