/[gentoo]/xml/htdocs/proj/en/glep/glep-0014.html
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0014.html

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.1 Revision 1.2
31<tbody valign="top"> 31<tbody valign="top">
32<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">14</td> 32<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">14</td>
33</tr> 33</tr>
34<tr class="field"><th class="field-name">Title:</th><td class="field-body">security updates based on GLSA</td> 34<tr class="field"><th class="field-name">Title:</th><td class="field-body">security updates based on GLSA</td>
35</tr> 35</tr>
36<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.1</td> 36<tr class="field"><th class="field-name">Version:</th><td class="field-body">$Revision: 1.2 $</td>
37</tr> 37</tr>
38<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0014.txt?cvsroot=gentoo">2003/08/22 15:00:55</a></td> 38<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0014.txt?cvsroot=gentoo">$Date: 2003/08/24 22:11:46 $</a></td>
39</tr> 39</tr>
40<tr class="field"><th class="field-name">Author:</th><td class="field-body">Marius Mauch &lt;genone&#32;&#97;t&#32;genone.de&gt;,</td> 40<tr class="field"><th class="field-name">Author:</th><td class="field-body">Marius Mauch &lt;genone&#32;&#97;t&#32;genone.de&gt;,</td>
41</tr> 41</tr>
42<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> 42<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td>
43</tr> 43</tr>
45</tr> 45</tr>
46<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference" href="glep-0002.html">text/x-rst</a></td> 46<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference" href="glep-0002.html">text/x-rst</a></td>
47</tr> 47</tr>
48<tr class="field"><th class="field-name">Created:</th><td class="field-body">18 Aug 2003</td> 48<tr class="field"><th class="field-name">Created:</th><td class="field-body">18 Aug 2003</td>
49</tr> 49</tr>
50<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">22-Aug-2003</td> 50<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">22-Aug-2003, 24-Aug-2003</td>
51</tr> 51</tr>
52</tbody> 52</tbody>
53</table> 53</table>
54<hr /> 54<hr />
55<div class="contents topic" id="contents"> 55<div class="contents topic" id="contents">
85</div> 85</div>
86<div class="section" id="proposed-change"> 86<div class="section" id="proposed-change">
87<h1><a class="toc-backref" href="#id4" name="proposed-change">Proposed change</a></h1> 87<h1><a class="toc-backref" href="#id4" name="proposed-change">Proposed change</a></h1>
88<div class="section" id="update-tool"> 88<div class="section" id="update-tool">
89<h2><a class="toc-backref" href="#id5" name="update-tool">Update tool</a></h2> 89<h2><a class="toc-backref" href="#id5" name="update-tool">Update tool</a></h2>
90<p>The coding part of this GLEP is a update tool that reads a GLSA, checks if 90<p>The coding part of this GLEP is a update tool that reads a GLSA, verifies its
91the system is affected by it and executes one of the following actions, depending 91GPG signature, checks if the system is affected by it and executes one of the
92on user preferences:</p> 92following actions, depending on user preferences:</p>
93<ul class="simple"> 93<ul class="simple">
94<li>run all steps necessary to fix the security hole, including package updates and 94<li>run all steps necessary to fix the security hole, including package updates and
95daemon restarts.</li> 95daemon restarts.</li>
96<li>instruct the user how to fix the security hole.</li> 96<li>instruct the user how to fix the security hole.</li>
97<li>print the GLSA so the user can get more information if desired.</li> 97<li>print the GLSA so the user can get more information if desired.</li>
102<div class="section" id="glsa-format"> 102<div class="section" id="glsa-format">
103<h2><a class="toc-backref" href="#id6" name="glsa-format">GLSA format</a></h2> 103<h2><a class="toc-backref" href="#id6" name="glsa-format">GLSA format</a></h2>
104<p>The GLSA format needs to be specified, I suggest using XML for that to simplify 104<p>The GLSA format needs to be specified, I suggest using XML for that to simplify
105parsing and later extensions. See <a class="reference" href="#implementation">implementation</a> for a sample DTD. The format 105parsing and later extensions. See <a class="reference" href="#implementation">implementation</a> for a sample DTD. The format
106has to be compatible with the update tool of course. If necessary a converter 106has to be compatible with the update tool of course. If necessary a converter
107tool or an editor could be written for people not comfortable with XML.</p> 107tool or an editor could be written for people not comfortable with XML.
108Every GLSA has to be GPG signed by the responsible developer, who has to be
109a member of the security herd.</p>
108</div> 110</div>
109<div class="section" id="glsa-release-process"> 111<div class="section" id="glsa-release-process">
110<h2><a class="toc-backref" href="#id7" name="glsa-release-process">GLSA release process</a></h2> 112<h2><a class="toc-backref" href="#id7" name="glsa-release-process">GLSA release process</a></h2>
111<p>Additional to sending the GLSA to the gentoo-announce mailing list it has to be 113<p>Additional to sending the GLSA to the gentoo-announce mailing list it has to be
112stored on a HTTP/FTP server and in the portage tree. I'd suggest a script should 114stored on a HTTP/FTP server and in the portage tree. I'd suggest a script should
113be used to release a GLSA that will:</p> 115be used to release a GLSA that will:</p>
114<ul class="simple"> 116<ul class="simple">
115<li>check the GLSA for correctness</li> 117<li>check the GLSA for correctness</li>
118<li>sign the GLSA with the developers GPG key</li>
116<li>send a mail to gentoo-announce with the XML GLSA and a plaintext version attached</li> 119<li>send a mail to gentoo-announce with the XML GLSA and a plaintext version attached</li>
117<li>upload it to www.gentoo.org/glsa (or wherever they should be uploaded)</li> 120<li>upload it to www.gentoo.org/glsa (or wherever they should be uploaded)</li>
118<li>put it on the rsync server</li> 121<li>put it on the rsync server</li>
119<li>notify the moderators on the forums to make an announcement</li> 122<li>notify the moderators on the forums to make an announcement</li>
120</ul> 123</ul>
142</ul> 145</ul>
143<p>Putting the GLSAs in the portage tree allows all users to check their systems 146<p>Putting the GLSAs in the portage tree allows all users to check their systems
144for security updates without taking more actions and simplifies later integration 147for security updates without taking more actions and simplifies later integration
145of the update tool into portage. For security minded persons the GLSAs are 148of the update tool into portage. For security minded persons the GLSAs are
146available on a HTTP server to ease the load of the rsync servers.</p> 149available on a HTTP server to ease the load of the rsync servers.</p>
150<p>To verify the signatures of the GLSAs the public keys of the developers should be
151available in the portage tree and on the HTTP server. The verification is necessary
152to prevent exploits by fake GLSAs.</p>
147</div> 153</div>
148<div class="section" id="implementation"> 154<div class="section" id="implementation">
149<h1><a class="toc-backref" href="#id10" name="implementation">Implementation</a></h1> 155<h1><a class="toc-backref" href="#id10" name="implementation">Implementation</a></h1>
150<p>A prototype implementation (including the update tool, a DTD and a sample 156<p>A prototype implementation (including the update tool, a DTD and a sample
151XMLified GLSA) exists at <a class="reference" href="http://gentoo.devel-net.org/glsa/">http://gentoo.devel-net.org/glsa/</a> . This GLEP is based 157XMLified GLSA) exists at <a class="reference" href="http://gentoo.devel-net.org/glsa/">http://gentoo.devel-net.org/glsa/</a> . This GLEP is based
166</div> 172</div>
167 173
168<hr class="footer"/> 174<hr class="footer"/>
169<div class="footer"> 175<div class="footer">
170<a class="reference" href="glep-0014.txt">View document source</a>. 176<a class="reference" href="glep-0014.txt">View document source</a>.
171Generated on: 2003-08-22 15:08 UTC. 177Generated on: 2003-08-24 22:06 UTC.
172Generated by <a class="reference" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. 178Generated by <a class="reference" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
173</div> 179</div>
174</body> 180</body>
175</html> 181</html>
176 182

Legend:
Removed from v.1.1  
changed lines
  Added in v.1.2

  ViewVC Help
Powered by ViewVC 1.1.20