--- xml/htdocs/proj/en/glep/glep-0014.html 2004/10/25 17:09:07 1.4 +++ xml/htdocs/proj/en/glep/glep-0014.html 2006/10/10 20:25:14 1.5 @@ -8,9 +8,252 @@ -->- +
|Title:||security updates based on GLSA|
|Author:||Marius Mauch <genone at genone.de>,|
|Created:||18 Aug 2003|
There is currently no automatic way to check a Gentoo system for identified security holes or auto-apply security fixes. This GLEP proposes a way to deal with this issue
Beta implementation in gentoolkit.
Automatic checking for security updates is a often requested feature for Gentoo. Implementing it will enable users to fix security holes without reading every security announcement. It's also a feature that is often required in enterprise environments.
The coding part of this GLEP is a update tool that reads a GLSA, verifies its -GPG signature, checks if the system is affected by it and executes one of the +GPG signature, checks if the system is affected by it and executes one of the following actions, depending on user preferences:
Once this tool is implemented and well tested it can be integrated into portage. A prototype implementation for this tool exists.
The GLSA format needs to be specified, I suggest using XML for that to simplify parsing and later extensions. See implementation for a sample DTD. The format has to be compatible with the update tool of course. If necessary a converter tool or an editor could be written for people not comfortable with XML (update: -a QT based editor for the GLSA format written by plasmaroo exists in the -gentoo-projects repository). Every GLSA has to be GPG signed by the responsible +a QT based editor for the GLSA format written by plasmaroo exists in the +gentoo-projects repository). Every GLSA has to be GPG signed by the responsible developer, who has to be a member of the security herd.
Additional to sending the GLSA to the gentoo-announce mailing list it has to be -stored on a HTTP/FTP server and in the portage tree. I'd suggest a script should +stored on a HTTP/FTP server and in the portage tree. I'd suggest a script should be used to release a GLSA that will:
The lack of automated security updates for Gentoo is one of the most often requested features for portage as it is one of the standard features of other distributions. As Gentoo already provides GLSAs for important security bugs it is only natural @@ -151,36 +393,37 @@
Putting the GLSAs in the portage tree allows all users to check their systems for security updates without taking more actions and simplifies later integration -of the update tool into portage. For security minded persons the GLSAs are +of the update tool into portage. For security minded persons the GLSAs are available on a HTTP server to ease the load of the rsync servers.
To verify the signatures of the GLSAs the public keys of the developers should be available in the portage tree and on the HTTP server. The verification is necessary to prevent exploits by fake GLSAs.
A prototype implementation (including the update tool, a DTD and a sample -XMLified GLSA) exists at http://gentoo.devel-net.org/glsa/ and in the -gentoo-projects/gentoo-security/GLSA repository. This GLEP is based +XMLified GLSA) exists at http://gentoo.devel-net.org/glsa/ and in the +gentoo-projects/gentoo-security/GLSA repository. This GLEP is based on that implementation, though it can be changed or rewritten if necessary.
The current GLSA release process needs to be replaced with this proposal. It +
The current GLSA release process needs to be replaced with this proposal. It would be nice if old GLSAs would be transformed into XML as well, but that is not a requirement for this GLEP.