--- xml/htdocs/proj/en/glep/glep-0014.html 2003/11/10 19:22:24 1.3 +++ xml/htdocs/proj/en/glep/glep-0014.html 2004/10/25 17:09:07 1.4 @@ -8,7 +8,7 @@ --> - + GLEP 14 -- security updates based on GLSA @@ -22,7 +22,7 @@ [Gentoo Linux Home] [GLEP Index] -[GLEP Source] +[GLEP Source]
@@ -35,7 +35,7 @@ - + @@ -43,31 +43,32 @@ - + - +
Version:1.4
Last-Modified:2003/11/10 19:21:57
Last-Modified:2003/11/10 19:21:57
Author:Marius Mauch <genone at genone.de>,
Type:Standards Track
Content-Type:text/x-rst
Content-Type:text/x-rst
Created:18 Aug 2003
Post-History:22-Aug-2003, 24-Aug-2003, 10-Nov-2003
Post-History:22-Aug-2003, 24-Aug-2003, 10-Nov-2003, 25-Oct-2004

-

Contents

+

Contents

@@ -76,17 +77,21 @@ security holes or auto-apply security fixes. This GLEP proposes a way to deal with this issue

+
+

Status Update

+

Beta implementation in gentoolkit.

+
-

Motivation

+

Motivation

Automatic checking for security updates is a often requested feature for Gentoo. Implementing it will enable users to fix security holes without reading every security announcement. It's also a feature that is often required in enterprise environments.

-

Proposed change

+

Proposed change

-

Update tool

+

Update tool

The coding part of this GLEP is a update tool that reads a GLSA, verifies its GPG signature, checks if the system is affected by it and executes one of the following actions, depending on user preferences:

@@ -100,7 +105,7 @@ A prototype implementation for this tool exists.

-

GLSA format

+

GLSA format

The GLSA format needs to be specified, I suggest using XML for that to simplify parsing and later extensions. See implementation for a sample DTD. The format has to be compatible with the update tool of course. If necessary a converter @@ -110,7 +115,7 @@ developer, who has to be a member of the security herd.

-

GLSA release process

+

GLSA release process

Additional to sending the GLSA to the gentoo-announce mailing list it has to be stored on a HTTP/FTP server and in the portage tree. I'd suggest a script should be used to release a GLSA that will:

@@ -124,14 +129,14 @@
-

Portage changes

+

Portage changes

Until the update tool is integrated into portage there will be no code changes to portage. The update tool might require a few new configuration options, these could be placed in make.conf or another config file in /etc/portage.

-

Rationale

+

Rationale

The lack of automated security updates for Gentoo is one of the most often requested features for portage as it is one of the standard features of other distributions. As Gentoo already provides GLSAs for important security bugs it is only natural @@ -153,28 +158,28 @@ to prevent exploits by fake GLSAs.

-

Implementation

+

Implementation

A prototype implementation (including the update tool, a DTD and a sample XMLified GLSA) exists at http://gentoo.devel-net.org/glsa/ and in the gentoo-projects/gentoo-security/GLSA repository. This GLEP is based on that implementation, though it can be changed or rewritten if necessary.

-

Backwards compatibility

+

Backwards compatibility

The current GLSA release process needs to be replaced with this proposal. It would be nice if old GLSAs would be transformed into XML as well, but that is not a requirement for this GLEP.

- +