… | |
… | |
6 | PEP, see http://www.python.org/peps/pep-0001.html for instructions and links |
6 | PEP, see http://www.python.org/peps/pep-0001.html for instructions and links |
7 | to templates. DO NOT USE THIS HTML FILE AS YOUR TEMPLATE! |
7 | to templates. DO NOT USE THIS HTML FILE AS YOUR TEMPLATE! |
8 | --> |
8 | --> |
9 | <head> |
9 | <head> |
10 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
10 | <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> |
11 | <meta name="generator" content="Docutils 0.3.0: http://docutils.sourceforge.net/" /> |
11 | <meta name="generator" content="Docutils 0.4: http://docutils.sourceforge.net/" /> |
12 | <title>GLEP 14 -- security updates based on GLSA</title> |
12 | <title>GLEP 14 -- security updates based on GLSA</title> |
13 | <link rel="stylesheet" href="tools/glep.css" type="text/css" /> |
13 | <style type="text/css"> |
|
|
14 | |
|
|
15 | /* |
|
|
16 | :Author: David Goodger |
|
|
17 | :Contact: goodger@users.sourceforge.net |
|
|
18 | :date: $Date: 2006/10/14 02:54:24 $ |
|
|
19 | :version: $Revision: 1.6 $ |
|
|
20 | :copyright: This stylesheet has been placed in the public domain. |
|
|
21 | |
|
|
22 | Default cascading style sheet for the PEP HTML output of Docutils. |
|
|
23 | */ |
|
|
24 | |
|
|
25 | .first { |
|
|
26 | margin-top: 0 } |
|
|
27 | |
|
|
28 | .last { |
|
|
29 | margin-bottom: 0 } |
|
|
30 | |
|
|
31 | .navigation { |
|
|
32 | width: 100% ; |
|
|
33 | background: #cc99ff ; |
|
|
34 | margin-top: 0px ; |
|
|
35 | margin-bottom: 0px } |
|
|
36 | |
|
|
37 | .navigation .navicon { |
|
|
38 | width: 150px ; |
|
|
39 | height: 35px } |
|
|
40 | |
|
|
41 | .navigation .textlinks { |
|
|
42 | padding-left: 1em ; |
|
|
43 | text-align: left } |
|
|
44 | |
|
|
45 | .navigation td, .navigation th { |
|
|
46 | padding-left: 0em ; |
|
|
47 | padding-right: 0em ; |
|
|
48 | vertical-align: middle } |
|
|
49 | |
|
|
50 | .rfc2822 { |
|
|
51 | margin-top: 0.5em ; |
|
|
52 | margin-left: 0.5em ; |
|
|
53 | margin-right: 0.5em ; |
|
|
54 | margin-bottom: 0em } |
|
|
55 | |
|
|
56 | .rfc2822 td { |
|
|
57 | text-align: left } |
|
|
58 | |
|
|
59 | .rfc2822 th.field-name { |
|
|
60 | text-align: right ; |
|
|
61 | font-family: sans-serif ; |
|
|
62 | padding-right: 0.5em ; |
|
|
63 | font-weight: bold ; |
|
|
64 | margin-bottom: 0em } |
|
|
65 | |
|
|
66 | a.toc-backref { |
|
|
67 | text-decoration: none ; |
|
|
68 | color: black } |
|
|
69 | |
|
|
70 | body { |
|
|
71 | margin: 0px ; |
|
|
72 | margin-bottom: 1em ; |
|
|
73 | padding: 0px } |
|
|
74 | |
|
|
75 | dd { |
|
|
76 | margin-bottom: 0.5em } |
|
|
77 | |
|
|
78 | div.section { |
|
|
79 | margin-left: 1em ; |
|
|
80 | margin-right: 1em ; |
|
|
81 | margin-bottom: 1.5em } |
|
|
82 | |
|
|
83 | div.section div.section { |
|
|
84 | margin-left: 0em ; |
|
|
85 | margin-right: 0em ; |
|
|
86 | margin-top: 1.5em } |
|
|
87 | |
|
|
88 | div.abstract { |
|
|
89 | margin: 2em 5em } |
|
|
90 | |
|
|
91 | div.abstract p.topic-title { |
|
|
92 | font-weight: bold ; |
|
|
93 | text-align: center } |
|
|
94 | |
|
|
95 | div.attention, div.caution, div.danger, div.error, div.hint, |
|
|
96 | div.important, div.note, div.tip, div.warning { |
|
|
97 | margin: 2em ; |
|
|
98 | border: medium outset ; |
|
|
99 | padding: 1em } |
|
|
100 | |
|
|
101 | div.attention p.admonition-title, div.caution p.admonition-title, |
|
|
102 | div.danger p.admonition-title, div.error p.admonition-title, |
|
|
103 | div.warning p.admonition-title { |
|
|
104 | color: red ; |
|
|
105 | font-weight: bold ; |
|
|
106 | font-family: sans-serif } |
|
|
107 | |
|
|
108 | div.hint p.admonition-title, div.important p.admonition-title, |
|
|
109 | div.note p.admonition-title, div.tip p.admonition-title { |
|
|
110 | font-weight: bold ; |
|
|
111 | font-family: sans-serif } |
|
|
112 | |
|
|
113 | div.figure { |
|
|
114 | margin-left: 2em } |
|
|
115 | |
|
|
116 | div.footer, div.header { |
|
|
117 | font-size: smaller } |
|
|
118 | |
|
|
119 | div.footer { |
|
|
120 | margin-left: 1em ; |
|
|
121 | margin-right: 1em } |
|
|
122 | |
|
|
123 | div.system-messages { |
|
|
124 | margin: 5em } |
|
|
125 | |
|
|
126 | div.system-messages h1 { |
|
|
127 | color: red } |
|
|
128 | |
|
|
129 | div.system-message { |
|
|
130 | border: medium outset ; |
|
|
131 | padding: 1em } |
|
|
132 | |
|
|
133 | div.system-message p.system-message-title { |
|
|
134 | color: red ; |
|
|
135 | font-weight: bold } |
|
|
136 | |
|
|
137 | div.topic { |
|
|
138 | margin: 2em } |
|
|
139 | |
|
|
140 | h1 { |
|
|
141 | font-family: sans-serif ; |
|
|
142 | font-size: large } |
|
|
143 | |
|
|
144 | h2 { |
|
|
145 | font-family: sans-serif ; |
|
|
146 | font-size: medium } |
|
|
147 | |
|
|
148 | h3 { |
|
|
149 | font-family: sans-serif ; |
|
|
150 | font-size: small } |
|
|
151 | |
|
|
152 | h4 { |
|
|
153 | font-family: sans-serif ; |
|
|
154 | font-style: italic ; |
|
|
155 | font-size: small } |
|
|
156 | |
|
|
157 | h5 { |
|
|
158 | font-family: sans-serif; |
|
|
159 | font-size: x-small } |
|
|
160 | |
|
|
161 | h6 { |
|
|
162 | font-family: sans-serif; |
|
|
163 | font-style: italic ; |
|
|
164 | font-size: x-small } |
|
|
165 | |
|
|
166 | .section hr { |
|
|
167 | width: 75% } |
|
|
168 | |
|
|
169 | ol.simple, ul.simple { |
|
|
170 | margin-bottom: 1em } |
|
|
171 | |
|
|
172 | ol.arabic { |
|
|
173 | list-style: decimal } |
|
|
174 | |
|
|
175 | ol.loweralpha { |
|
|
176 | list-style: lower-alpha } |
|
|
177 | |
|
|
178 | ol.upperalpha { |
|
|
179 | list-style: upper-alpha } |
|
|
180 | |
|
|
181 | ol.lowerroman { |
|
|
182 | list-style: lower-roman } |
|
|
183 | |
|
|
184 | ol.upperroman { |
|
|
185 | list-style: upper-roman } |
|
|
186 | |
|
|
187 | p.caption { |
|
|
188 | font-style: italic } |
|
|
189 | |
|
|
190 | p.credits { |
|
|
191 | font-style: italic ; |
|
|
192 | font-size: smaller } |
|
|
193 | |
|
|
194 | p.label { |
|
|
195 | white-space: nowrap } |
|
|
196 | |
|
|
197 | p.topic-title { |
|
|
198 | font-family: sans-serif ; |
|
|
199 | font-weight: bold } |
|
|
200 | |
|
|
201 | pre.line-block { |
|
|
202 | font-family: serif ; |
|
|
203 | font-size: 100% } |
|
|
204 | |
|
|
205 | pre.literal-block, pre.doctest-block { |
|
|
206 | margin-left: 2em ; |
|
|
207 | margin-right: 2em ; |
|
|
208 | background-color: #eeeeee } |
|
|
209 | |
|
|
210 | span.classifier { |
|
|
211 | font-family: sans-serif ; |
|
|
212 | font-style: oblique } |
|
|
213 | |
|
|
214 | span.classifier-delimiter { |
|
|
215 | font-family: sans-serif ; |
|
|
216 | font-weight: bold } |
|
|
217 | |
|
|
218 | span.interpreted { |
|
|
219 | font-family: sans-serif } |
|
|
220 | |
|
|
221 | span.option-argument { |
|
|
222 | font-style: italic } |
|
|
223 | |
|
|
224 | span.pre { |
|
|
225 | white-space: pre } |
|
|
226 | |
|
|
227 | span.problematic { |
|
|
228 | color: red } |
|
|
229 | |
|
|
230 | table { |
|
|
231 | margin-top: 0.5em ; |
|
|
232 | margin-bottom: 0.5em } |
|
|
233 | |
|
|
234 | td, th { |
|
|
235 | padding-left: 0.5em ; |
|
|
236 | padding-right: 0.5em ; |
|
|
237 | vertical-align: top } |
|
|
238 | |
|
|
239 | td.num { |
|
|
240 | text-align: right } |
|
|
241 | |
|
|
242 | th.field-name { |
|
|
243 | font-weight: bold ; |
|
|
244 | text-align: left ; |
|
|
245 | white-space: nowrap } |
|
|
246 | |
|
|
247 | h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt { |
|
|
248 | font-size: 100% } |
|
|
249 | |
|
|
250 | tt { |
|
|
251 | background-color: #eeeeee } |
|
|
252 | |
|
|
253 | ul.auto-toc { |
|
|
254 | list-style-type: none } |
|
|
255 | |
|
|
256 | </style> |
14 | </head> |
257 | </head> |
15 | <body bgcolor="white"> |
258 | <body bgcolor="white"> |
16 | <table class="navigation" cellpadding="0" cellspacing="0" |
259 | <table class="navigation" cellpadding="0" cellspacing="0" |
17 | width="100%" border="0"> |
260 | width="100%" border="0"> |
18 | <tr><td class="navicon" width="150" height="35"> |
261 | <tr><td class="navicon" width="150" height="35"> |
19 | <a href="http://www.gentoo.org/" title="Gentoo Linux Home Page"> |
262 | <a href="http://www.gentoo.org/" title="Gentoo Linux Home Page"> |
20 | <img src="http://www.gentoo.org/images/gentoo-new.gif" alt="[Gentoo]" |
263 | <img src="http://www.gentoo.org/images/gentoo-new.gif" alt="[Gentoo]" |
21 | border="0" width="150" height="35" /></a></td> |
264 | border="0" width="150" height="35" /></a></td> |
22 | <td class="textlinks" align="left"> |
265 | <td class="textlinks" align="left"> |
23 | [<b><a href="http://www.gentoo.org/">Gentoo Linux Home</a></b>] |
266 | [<b><a href="http://www.gentoo.org/">Gentoo Linux Home</a></b>] |
24 | [<b><a href="http://www.gentoo.org/proj/en/glep">GLEP Index</a></b>] |
267 | [<b><a href="http://www.gentoo.org/peps">GLEP Index</a></b>] |
25 | [<b><a href="http://www.gentoo.org/proj/en/glep/glep-0014.txt">GLEP Source</a></b>] |
268 | [<b><a href="http://www.gentoo.org/proj/en/glep/glep-0014.txt">GLEP Source</a></b>] |
26 | </td></tr></table> |
269 | </td></tr></table> |
27 | <div class="document"> |
|
|
28 | <table class="rfc2822 field-list" frame="void" rules="none"> |
270 | <table class="rfc2822 docutils field-list" frame="void" rules="none"> |
29 | <col class="field-name" /> |
271 | <col class="field-name" /> |
30 | <col class="field-body" /> |
272 | <col class="field-body" /> |
31 | <tbody valign="top"> |
273 | <tbody valign="top"> |
32 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">14</td> |
274 | <tr class="field"><th class="field-name">GLEP:</th><td class="field-body">14</td> |
33 | </tr> |
275 | </tr> |
34 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">security updates based on GLSA</td> |
276 | <tr class="field"><th class="field-name">Title:</th><td class="field-body">security updates based on GLSA</td> |
35 | </tr> |
277 | </tr> |
36 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.1</td> |
278 | <tr class="field"><th class="field-name">Version:</th><td class="field-body">1.5</td> |
37 | </tr> |
279 | </tr> |
38 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0014.txt?cvsroot=gentoo">2003/08/22 15:00:55</a></td> |
280 | <tr class="field"><th class="field-name">Last-Modified:</th><td class="field-body"><a class="reference" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/proj/en/glep/glep-0014.txt?cvsroot=gentoo">2004/10/26 00:21:28</a></td> |
39 | </tr> |
281 | </tr> |
40 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Marius Mauch <genone at genone.de>,</td> |
282 | <tr class="field"><th class="field-name">Author:</th><td class="field-body">Marius Mauch <genone at genone.de>,</td> |
41 | </tr> |
283 | </tr> |
42 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Draft</td> |
284 | <tr class="field"><th class="field-name">Status:</th><td class="field-body">Accepted</td> |
43 | </tr> |
285 | </tr> |
44 | <tr class="field"><th class="field-name">Type:</th><td class="field-body">Standards Track</td> |
286 | <tr class="field"><th class="field-name">Type:</th><td class="field-body">Standards Track</td> |
45 | </tr> |
287 | </tr> |
46 | <tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference" href="glep-0002.html">text/x-rst</a></td> |
288 | <tr class="field"><th class="field-name">Content-Type:</th><td class="field-body"><a class="reference" href="glep-0002.html">text/x-rst</a></td> |
47 | </tr> |
289 | </tr> |
48 | <tr class="field"><th class="field-name">Created:</th><td class="field-body">18 Aug 2003</td> |
290 | <tr class="field"><th class="field-name">Created:</th><td class="field-body">18 Aug 2003</td> |
49 | </tr> |
291 | </tr> |
50 | <tr class="field"><th class="field-name">Post-History:</th><td class="field-body">22-Aug-2003</td> |
292 | <tr class="field"><th class="field-name">Post-History:</th><td class="field-body">22-Aug-2003, 24-Aug-2003, 10-Nov-2003, 25-Oct-2004</td> |
|
|
293 | </tr> |
|
|
294 | <tr class="field"><th class="field-name">Requires:</th><td class="field-body"><a class="reference" href="http://www.gentoo.org/proj/en/glepglep-0021.html">21</a></td> |
51 | </tr> |
295 | </tr> |
52 | </tbody> |
296 | </tbody> |
53 | </table> |
297 | </table> |
54 | <hr /> |
298 | <hr /> |
55 | <div class="contents topic" id="contents"> |
299 | <div class="contents topic"> |
56 | <p class="topic-title"><a name="contents">Contents</a></p> |
300 | <p class="topic-title first"><a id="contents" name="contents">Contents</a></p> |
57 | <ul class="simple"> |
301 | <ul class="simple"> |
58 | <li><a class="reference" href="#abstract" id="id2" name="id2">Abstract</a></li> |
302 | <li><a class="reference" href="#abstract" id="id2" name="id2">Abstract</a></li> |
|
|
303 | <li><a class="reference" href="#status-update" id="id3" name="id3">Status Update</a></li> |
59 | <li><a class="reference" href="#motivation" id="id3" name="id3">Motivation</a></li> |
304 | <li><a class="reference" href="#motivation" id="id4" name="id4">Motivation</a></li> |
60 | <li><a class="reference" href="#proposed-change" id="id4" name="id4">Proposed change</a><ul> |
305 | <li><a class="reference" href="#proposed-change" id="id5" name="id5">Proposed change</a><ul> |
61 | <li><a class="reference" href="#update-tool" id="id5" name="id5">Update tool</a></li> |
306 | <li><a class="reference" href="#update-tool" id="id6" name="id6">Update tool</a></li> |
62 | <li><a class="reference" href="#glsa-format" id="id6" name="id6">GLSA format</a></li> |
307 | <li><a class="reference" href="#glsa-format" id="id7" name="id7">GLSA format</a></li> |
63 | <li><a class="reference" href="#glsa-release-process" id="id7" name="id7">GLSA release process</a></li> |
308 | <li><a class="reference" href="#glsa-release-process" id="id8" name="id8">GLSA release process</a></li> |
64 | <li><a class="reference" href="#portage-changes" id="id8" name="id8">Portage changes</a></li> |
309 | <li><a class="reference" href="#portage-changes" id="id9" name="id9">Portage changes</a></li> |
65 | </ul> |
310 | </ul> |
66 | </li> |
311 | </li> |
67 | <li><a class="reference" href="#rationale" id="id9" name="id9">Rationale</a></li> |
312 | <li><a class="reference" href="#rationale" id="id10" name="id10">Rationale</a></li> |
68 | <li><a class="reference" href="#implementation" id="id10" name="id10">Implementation</a></li> |
313 | <li><a class="reference" href="#implementation" id="id11" name="id11">Implementation</a></li> |
69 | <li><a class="reference" href="#backwards-compatibility" id="id11" name="id11">Backwards compatibility</a></li> |
314 | <li><a class="reference" href="#backwards-compatibility" id="id12" name="id12">Backwards compatibility</a></li> |
70 | <li><a class="reference" href="#copyright" id="id12" name="id12">Copyright</a></li> |
315 | <li><a class="reference" href="#copyright" id="id13" name="id13">Copyright</a></li> |
71 | </ul> |
316 | </ul> |
72 | </div> |
317 | </div> |
73 | <div class="section" id="abstract"> |
318 | <div class="section"> |
74 | <h1><a class="toc-backref" href="#id2" name="abstract">Abstract</a></h1> |
319 | <h1><a class="toc-backref" href="#id2" id="abstract" name="abstract">Abstract</a></h1> |
75 | <p>There is currently no automatic way to check a Gentoo system for identified |
320 | <p>There is currently no automatic way to check a Gentoo system for identified |
76 | security holes or auto-apply security fixes. This GLEP proposes a way to deal |
321 | security holes or auto-apply security fixes. This GLEP proposes a way to deal |
77 | with this issue</p> |
322 | with this issue</p> |
78 | </div> |
323 | </div> |
79 | <div class="section" id="motivation"> |
324 | <div class="section"> |
|
|
325 | <h1><a class="toc-backref" href="#id3" id="status-update" name="status-update">Status Update</a></h1> |
|
|
326 | <p>Preliminary implementation <tt class="docutils literal"><span class="pre">glsa-check</span></tt> in gentoolkit, final implementation |
|
|
327 | pending set support in portage (GLEP 21).</p> |
|
|
328 | </div> |
|
|
329 | <div class="section"> |
80 | <h1><a class="toc-backref" href="#id3" name="motivation">Motivation</a></h1> |
330 | <h1><a class="toc-backref" href="#id4" id="motivation" name="motivation">Motivation</a></h1> |
81 | <p>Automatic checking for security updates is a often requested feature for Gentoo. |
331 | <p>Automatic checking for security updates is a often requested feature for Gentoo. |
82 | Implementing it will enable users to fix security holes without reading every |
332 | Implementing it will enable users to fix security holes without reading every |
83 | security announcement. It's also a feature that is often required in enterprise |
333 | security announcement. It's also a feature that is often required in enterprise |
84 | environments.</p> |
334 | environments.</p> |
85 | </div> |
335 | </div> |
86 | <div class="section" id="proposed-change"> |
336 | <div class="section"> |
87 | <h1><a class="toc-backref" href="#id4" name="proposed-change">Proposed change</a></h1> |
337 | <h1><a class="toc-backref" href="#id5" id="proposed-change" name="proposed-change">Proposed change</a></h1> |
88 | <div class="section" id="update-tool"> |
338 | <div class="section"> |
89 | <h2><a class="toc-backref" href="#id5" name="update-tool">Update tool</a></h2> |
339 | <h2><a class="toc-backref" href="#id6" id="update-tool" name="update-tool">Update tool</a></h2> |
90 | <p>The coding part of this GLEP is a update tool that reads a GLSA, checks if |
340 | <p>The coding part of this GLEP is a update tool that reads a GLSA, verifies its |
91 | the system is affected by it and executes one of the following actions, depending |
341 | GPG signature, checks if the system is affected by it and executes one of the |
92 | on user preferences:</p> |
342 | following actions, depending on user preferences:</p> |
93 | <ul class="simple"> |
343 | <ul class="simple"> |
94 | <li>run all steps necessary to fix the security hole, including package updates and |
344 | <li>run all steps necessary to fix the security hole, including package updates and |
95 | daemon restarts.</li> |
345 | daemon restarts.</li> |
96 | <li>instruct the user how to fix the security hole.</li> |
346 | <li>instruct the user how to fix the security hole.</li> |
97 | <li>print the GLSA so the user can get more information if desired.</li> |
347 | <li>print the GLSA so the user can get more information if desired.</li> |
98 | </ul> |
348 | </ul> |
99 | <p>Once this tool is implemented and well tested it can be integrated into portage. |
349 | <p>Once this tool is implemented and well tested it can be integrated into portage. |
100 | A prototype <a class="reference" href="#implementation">implementation</a> for this tool exists.</p> |
350 | A prototype <a class="reference" href="#implementation">implementation</a> for this tool exists.</p> |
101 | </div> |
351 | </div> |
102 | <div class="section" id="glsa-format"> |
352 | <div class="section"> |
103 | <h2><a class="toc-backref" href="#id6" name="glsa-format">GLSA format</a></h2> |
353 | <h2><a class="toc-backref" href="#id7" id="glsa-format" name="glsa-format">GLSA format</a></h2> |
104 | <p>The GLSA format needs to be specified, I suggest using XML for that to simplify |
354 | <p>The GLSA format needs to be specified, I suggest using XML for that to simplify |
105 | parsing and later extensions. See <a class="reference" href="#implementation">implementation</a> for a sample DTD. The format |
355 | parsing and later extensions. See <a class="reference" href="#implementation">implementation</a> for a sample DTD. The format |
106 | has to be compatible with the update tool of course. If necessary a converter |
356 | has to be compatible with the update tool of course. If necessary a converter |
107 | tool or an editor could be written for people not comfortable with XML.</p> |
357 | tool or an editor could be written for people not comfortable with XML (update: |
|
|
358 | a QT based editor for the GLSA format written by plasmaroo exists in the |
|
|
359 | gentoo-projects repository). Every GLSA has to be GPG signed by the responsible |
|
|
360 | developer, who has to be a member of the security herd.</p> |
108 | </div> |
361 | </div> |
109 | <div class="section" id="glsa-release-process"> |
362 | <div class="section"> |
110 | <h2><a class="toc-backref" href="#id7" name="glsa-release-process">GLSA release process</a></h2> |
363 | <h2><a class="toc-backref" href="#id8" id="glsa-release-process" name="glsa-release-process">GLSA release process</a></h2> |
111 | <p>Additional to sending the GLSA to the gentoo-announce mailing list it has to be |
364 | <p>Additional to sending the GLSA to the gentoo-announce mailing list it has to be |
112 | stored on a HTTP/FTP server and in the portage tree. I'd suggest a script should |
365 | stored on a HTTP/FTP server and in the portage tree. I'd suggest a script should |
113 | be used to release a GLSA that will:</p> |
366 | be used to release a GLSA that will:</p> |
114 | <ul class="simple"> |
367 | <ul class="simple"> |
115 | <li>check the GLSA for correctness</li> |
368 | <li>check the GLSA for correctness</li> |
|
|
369 | <li>sign the GLSA with the developers GPG key</li> |
116 | <li>send a mail to gentoo-announce with the XML GLSA and a plaintext version attached</li> |
370 | <li>send a mail to gentoo-announce with the XML GLSA and a plaintext version attached</li> |
117 | <li>upload it to www.gentoo.org/glsa (or wherever they should be uploaded)</li> |
371 | <li>upload it to www.gentoo.org/security/en/glsa (via cvs commit)</li> |
118 | <li>put it on the rsync server</li> |
372 | <li>put it on the rsync server (via cvs commit)</li> |
119 | <li>notify the moderators on the forums to make an announcement</li> |
373 | <li>notify the moderators on the forums to make an announcement</li> |
120 | </ul> |
374 | </ul> |
121 | </div> |
375 | </div> |
122 | <div class="section" id="portage-changes"> |
376 | <div class="section"> |
123 | <h2><a class="toc-backref" href="#id8" name="portage-changes">Portage changes</a></h2> |
377 | <h2><a class="toc-backref" href="#id9" id="portage-changes" name="portage-changes">Portage changes</a></h2> |
124 | <p>Until the <a class="reference" href="#update-tool">update tool</a> is integrated into portage there will be no code changes |
378 | <p>Until the <a class="reference" href="#update-tool">update tool</a> is integrated into portage there will be no code changes |
125 | to portage. The update tool might require a few new configuration options, these |
379 | to portage. The update tool might require a few new configuration options, these |
126 | could be placed in make.conf or another config file in /etc/portage.</p> |
380 | could be placed in make.conf or another config file in /etc/portage.</p> |
127 | </div> |
381 | </div> |
128 | </div> |
382 | </div> |
129 | <div class="section" id="rationale"> |
383 | <div class="section"> |
130 | <h1><a class="toc-backref" href="#id9" name="rationale">Rationale</a></h1> |
384 | <h1><a class="toc-backref" href="#id10" id="rationale" name="rationale">Rationale</a></h1> |
131 | <p>The lack of automated security updates for Gentoo is one of the most often requested |
385 | <p>The lack of automated security updates for Gentoo is one of the most often requested |
132 | features for portage as it is one of the standard features of other distributions. |
386 | features for portage as it is one of the standard features of other distributions. |
133 | As Gentoo already provides GLSAs for important security bugs it is only natural |
387 | As Gentoo already provides GLSAs for important security bugs it is only natural |
134 | to use these to implement this feature.</p> |
388 | to use these to implement this feature.</p> |
135 | <p>To parse a GLSA in a program the format needs to be specified and a parser has |
389 | <p>To parse a GLSA in a program the format needs to be specified and a parser has |
… | |
… | |
140 | <li>tools can convert XML GLSAs in other formats, the other direction would be harder</li> |
394 | <li>tools can convert XML GLSAs in other formats, the other direction would be harder</li> |
141 | <li>websites can use XSLT to markup GLSAs</li> |
395 | <li>websites can use XSLT to markup GLSAs</li> |
142 | </ul> |
396 | </ul> |
143 | <p>Putting the GLSAs in the portage tree allows all users to check their systems |
397 | <p>Putting the GLSAs in the portage tree allows all users to check their systems |
144 | for security updates without taking more actions and simplifies later integration |
398 | for security updates without taking more actions and simplifies later integration |
145 | of the update tool into portage. For security minded persons the GLSAs are |
399 | of the update tool into portage. For security minded persons the GLSAs are |
146 | available on a HTTP server to ease the load of the rsync servers.</p> |
400 | available on a HTTP server to ease the load of the rsync servers.</p> |
|
|
401 | <p>To verify the signatures of the GLSAs the public keys of the developers should be |
|
|
402 | available in the portage tree and on the HTTP server. The verification is necessary |
|
|
403 | to prevent exploits by fake GLSAs.</p> |
147 | </div> |
404 | </div> |
148 | <div class="section" id="implementation"> |
405 | <div class="section"> |
149 | <h1><a class="toc-backref" href="#id10" name="implementation">Implementation</a></h1> |
406 | <h1><a class="toc-backref" href="#id11" id="implementation" name="implementation">Implementation</a></h1> |
150 | <p>A prototype implementation (including the update tool, a DTD and a sample |
407 | <p>A prototype implementation (including the update tool, a DTD and a sample |
151 | XMLified GLSA) exists at <a class="reference" href="http://gentoo.devel-net.org/glsa/">http://gentoo.devel-net.org/glsa/</a> . This GLEP is based |
408 | XMLified GLSA) exists at <a class="reference" href="http://gentoo.devel-net.org/glsa/">http://gentoo.devel-net.org/glsa/</a> and in the |
|
|
409 | gentoo-projects/gentoo-security/GLSA repository. This GLEP is based |
152 | on that implementation, though it can be changed or rewritten if necessary. |
410 | on that implementation, though it can be changed or rewritten if necessary.</p> |
153 | According to portage developers there is also already some support for this in |
|
|
154 | portage.</p> |
|
|
155 | </div> |
411 | </div> |
156 | <div class="section" id="backwards-compatibility"> |
412 | <div class="section"> |
157 | <h1><a class="toc-backref" href="#id11" name="backwards-compatibility">Backwards compatibility</a></h1> |
413 | <h1><a class="toc-backref" href="#id12" id="backwards-compatibility" name="backwards-compatibility">Backwards compatibility</a></h1> |
158 | <p>The current <a class="reference" href="#glsa-release-process">GLSA release process</a> needs to be replaced with this proposal. It |
414 | <p>The current <a class="reference" href="#glsa-release-process">GLSA release process</a> needs to be replaced with this proposal. It |
159 | would be nice if old GLSAs would be transformed into XML as well, but that is |
415 | would be nice if old GLSAs would be transformed into XML as well, but that is |
160 | not a requirement for this GLEP.</p> |
416 | not a requirement for this GLEP.</p> |
161 | </div> |
417 | </div> |
162 | <div class="section" id="copyright"> |
418 | <div class="section"> |
163 | <h1><a class="toc-backref" href="#id12" name="copyright">Copyright</a></h1> |
419 | <h1><a class="toc-backref" href="#id13" id="copyright" name="copyright">Copyright</a></h1> |
164 | <p>This document has been placed in the public domain.</p> |
420 | <p>This document has been placed in the public domain.</p> |
165 | </div> |
421 | </div> |
166 | </div> |
|
|
167 | |
422 | |
168 | <hr class="footer"/> |
423 | </div> |
169 | <div class="footer"> |
424 | <div class="footer"> |
|
|
425 | <hr class="footer" /> |
170 | <a class="reference" href="glep-0014.txt">View document source</a>. |
426 | <a class="reference" href="glep-0014.txt">View document source</a>. |
171 | Generated on: 2003-08-22 15:08 UTC. |
427 | Generated on: 2006-10-14 03:00 UTC. |
172 | Generated by <a class="reference" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
428 | Generated by <a class="reference" href="http://docutils.sourceforge.net/">Docutils</a> from <a class="reference" href="http://docutils.sourceforge.net/rst.html">reStructuredText</a> source. |
|
|
429 | |
173 | </div> |
430 | </div> |
174 | </body> |
431 | </body> |
175 | </html> |
432 | </html> |
176 | |
433 | |