/[gentoo]/xml/htdocs/proj/en/glep/glep-0014.html
Gentoo

Diff of /xml/htdocs/proj/en/glep/glep-0014.html

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

Revision 1.1 Revision 1.3
31<tbody valign="top"> 31<tbody valign="top">
32<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">14</td> 32<tr class="field"><th class="field-name">GLEP:</th><td class="field-body">14</td>
33</tr> 33</tr>
34<tr class="field"><th class="field-name">Title:</th><td class="field-body">security updates based on GLSA</td> 34<tr class="field"><th class="field-name">Title:</th><td class="field-body">security updates based on GLSA</td>
35</tr> 35</tr>
36<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.1</td> 36<tr class="field"><th class="field-name">Version:</th><td class="field-body">1.4</td>
37</tr> 37</tr>
38<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0014.txt?cvsroot=gentoo">2003/08/22 15:00:55</a></td> 38<tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0014.txt?cvsroot=gentoo">2003/11/10 19:21:57</a></td>
39</tr> 39</tr>
40<tr class="field"><th class="field-name">Author:</th><td class="field-body">Marius Mauch &lt;genone&#32;&#97;t&#32;genone.de&gt;,</td> 40<tr class="field"><th class="field-name">Author:</th><td class="field-body">Marius Mauch &lt;genone&#32;&#97;t&#32;genone.de&gt;,</td>
41</tr> 41</tr>
42<tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> 42<tr class="field"><th class="field-name">Status:</th><td class="field-body">Accepted</td>
43</tr> 43</tr>
44<tr class="field"><th class="field-name">Type:</th><td class="field-body">Standards Track</td> 44<tr class="field"><th class="field-name">Type:</th><td class="field-body">Standards Track</td>
45</tr> 45</tr>
46<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference" href="glep-0002.html">text/x-rst</a></td> 46<tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference" href="glep-0002.html">text/x-rst</a></td>
47</tr> 47</tr>
48<tr class="field"><th class="field-name">Created:</th><td class="field-body">18 Aug 2003</td> 48<tr class="field"><th class="field-name">Created:</th><td class="field-body">18 Aug 2003</td>
49</tr> 49</tr>
50<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">22-Aug-2003</td> 50<tr class="field"><th class="field-name">Post-History:</th><td class="field-body">22-Aug-2003, 24-Aug-2003, 10-Nov-2003</td>
51</tr> 51</tr>
52</tbody> 52</tbody>
53</table> 53</table>
54<hr /> 54<hr />
55<div class="contents topic" id="contents"> 55<div class="contents topic" id="contents">
85</div> 85</div>
86<div class="section" id="proposed-change"> 86<div class="section" id="proposed-change">
87<h1><a class="toc-backref" href="#id4" name="proposed-change">Proposed change</a></h1> 87<h1><a class="toc-backref" href="#id4" name="proposed-change">Proposed change</a></h1>
88<div class="section" id="update-tool"> 88<div class="section" id="update-tool">
89<h2><a class="toc-backref" href="#id5" name="update-tool">Update tool</a></h2> 89<h2><a class="toc-backref" href="#id5" name="update-tool">Update tool</a></h2>
90<p>The coding part of this GLEP is a update tool that reads a GLSA, checks if 90<p>The coding part of this GLEP is a update tool that reads a GLSA, verifies its
91the system is affected by it and executes one of the following actions, depending 91GPG signature, checks if the system is affected by it and executes one of the
92on user preferences:</p> 92following actions, depending on user preferences:</p>
93<ul class="simple"> 93<ul class="simple">
94<li>run all steps necessary to fix the security hole, including package updates and 94<li>run all steps necessary to fix the security hole, including package updates and
95daemon restarts.</li> 95daemon restarts.</li>
96<li>instruct the user how to fix the security hole.</li> 96<li>instruct the user how to fix the security hole.</li>
97<li>print the GLSA so the user can get more information if desired.</li> 97<li>print the GLSA so the user can get more information if desired.</li>
102<div class="section" id="glsa-format"> 102<div class="section" id="glsa-format">
103<h2><a class="toc-backref" href="#id6" name="glsa-format">GLSA format</a></h2> 103<h2><a class="toc-backref" href="#id6" name="glsa-format">GLSA format</a></h2>
104<p>The GLSA format needs to be specified, I suggest using XML for that to simplify 104<p>The GLSA format needs to be specified, I suggest using XML for that to simplify
105parsing and later extensions. See <a class="reference" href="#implementation">implementation</a> for a sample DTD. The format 105parsing and later extensions. See <a class="reference" href="#implementation">implementation</a> for a sample DTD. The format
106has to be compatible with the update tool of course. If necessary a converter 106has to be compatible with the update tool of course. If necessary a converter
107tool or an editor could be written for people not comfortable with XML.</p> 107tool or an editor could be written for people not comfortable with XML (update:
108a QT based editor for the GLSA format written by plasmaroo exists in the
109gentoo-projects repository). Every GLSA has to be GPG signed by the responsible
110developer, who has to be a member of the security herd.</p>
108</div> 111</div>
109<div class="section" id="glsa-release-process"> 112<div class="section" id="glsa-release-process">
110<h2><a class="toc-backref" href="#id7" name="glsa-release-process">GLSA release process</a></h2> 113<h2><a class="toc-backref" href="#id7" name="glsa-release-process">GLSA release process</a></h2>
111<p>Additional to sending the GLSA to the gentoo-announce mailing list it has to be 114<p>Additional to sending the GLSA to the gentoo-announce mailing list it has to be
112stored on a HTTP/FTP server and in the portage tree. I'd suggest a script should 115stored on a HTTP/FTP server and in the portage tree. I'd suggest a script should
113be used to release a GLSA that will:</p> 116be used to release a GLSA that will:</p>
114<ul class="simple"> 117<ul class="simple">
115<li>check the GLSA for correctness</li> 118<li>check the GLSA for correctness</li>
119<li>sign the GLSA with the developers GPG key</li>
116<li>send a mail to gentoo-announce with the XML GLSA and a plaintext version attached</li> 120<li>send a mail to gentoo-announce with the XML GLSA and a plaintext version attached</li>
117<li>upload it to www.gentoo.org/glsa (or wherever they should be uploaded)</li> 121<li>upload it to www.gentoo.org/security/en/glsa (via cvs commit)</li>
118<li>put it on the rsync server</li> 122<li>put it on the rsync server (via cvs commit)</li>
119<li>notify the moderators on the forums to make an announcement</li> 123<li>notify the moderators on the forums to make an announcement</li>
120</ul> 124</ul>
121</div> 125</div>
122<div class="section" id="portage-changes"> 126<div class="section" id="portage-changes">
123<h2><a class="toc-backref" href="#id8" name="portage-changes">Portage changes</a></h2> 127<h2><a class="toc-backref" href="#id8" name="portage-changes">Portage changes</a></h2>
142</ul> 146</ul>
143<p>Putting the GLSAs in the portage tree allows all users to check their systems 147<p>Putting the GLSAs in the portage tree allows all users to check their systems
144for security updates without taking more actions and simplifies later integration 148for security updates without taking more actions and simplifies later integration
145of the update tool into portage. For security minded persons the GLSAs are 149of the update tool into portage. For security minded persons the GLSAs are
146available on a HTTP server to ease the load of the rsync servers.</p> 150available on a HTTP server to ease the load of the rsync servers.</p>
151<p>To verify the signatures of the GLSAs the public keys of the developers should be
152available in the portage tree and on the HTTP server. The verification is necessary
153to prevent exploits by fake GLSAs.</p>
147</div> 154</div>
148<div class="section" id="implementation"> 155<div class="section" id="implementation">
149<h1><a class="toc-backref" href="#id10" name="implementation">Implementation</a></h1> 156<h1><a class="toc-backref" href="#id10" name="implementation">Implementation</a></h1>
150<p>A prototype implementation (including the update tool, a DTD and a sample 157<p>A prototype implementation (including the update tool, a DTD and a sample
151XMLified GLSA) exists at <a class="reference" href="http://gentoo.devel-net.org/glsa/">http://gentoo.devel-net.org/glsa/</a> . This GLEP is based 158XMLified GLSA) exists at <a class="reference" href="http://gentoo.devel-net.org/glsa/">http://gentoo.devel-net.org/glsa/</a> and in the
159gentoo-projects/gentoo-security/GLSA repository. This GLEP is based
152on that implementation, though it can be changed or rewritten if necessary. 160on that implementation, though it can be changed or rewritten if necessary.</p>
153According to portage developers there is also already some support for this in
154portage.</p>
155</div> 161</div>
156<div class="section" id="backwards-compatibility"> 162<div class="section" id="backwards-compatibility">
157<h1><a class="toc-backref" href="#id11" name="backwards-compatibility">Backwards compatibility</a></h1> 163<h1><a class="toc-backref" href="#id11" name="backwards-compatibility">Backwards compatibility</a></h1>
158<p>The current <a class="reference" href="#glsa-release-process">GLSA release process</a> needs to be replaced with this proposal. It 164<p>The current <a class="reference" href="#glsa-release-process">GLSA release process</a> needs to be replaced with this proposal. It
159would be nice if old GLSAs would be transformed into XML as well, but that is 165would be nice if old GLSAs would be transformed into XML as well, but that is
166</div> 172</div>
167 173
168<hr class="footer"/> 174<hr class="footer"/>
169<div class="footer"> 175<div class="footer">
170<a class="reference" href="glep-0014.txt">View document source</a>. 176<a class="reference" href="glep-0014.txt">View document source</a>.
171Generated on: 2003-08-22 15:08 UTC. 177Generated on: 2003-11-10 19:22 UTC.
172Generated by <a class="reference" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. 178Generated by <a class="reference" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source.
173</div> 179</div>
174</body> 180</body>
175</html> 181</html>
176 182

Legend:
Removed from v.1.1  
changed lines
  Added in v.1.3

  ViewVC Help
Powered by ViewVC 1.1.20