878931 – Snapshots don't include latest GLSA's

Bug 878931 - Snapshots don't include latest GLSA's

Summary: Snapshots don't include latest GLSA's

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Mirrors
Classification:	Unclassified
Component:	Server Problem (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Mirror Admins

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-10-31 22:23 UTC by mentalstring
Modified:	2022-11-02 13:10 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description mentalstring 2022-10-31 22:23:52 UTC

When synching via emerge-webrsync, the snapshots don't include the latest GLSA. Latest included is from about 2 weeks ago.

Reproducible: Always

Steps to Reproduce:
1. emerge-webrsync
2. ls -l /usr/portage/metadata/glsa/glsa-20221*
3. # compare with https://security.gentoo.org/glsa

Comment 1 Sam James archtester

2022-11-01 01:12:00 UTC

The last batch of GLSAs was released several weeks ago and the latest batch will be in todays snapshot just made.

Comment 2 mentalstring 2022-11-01 08:46:16 UTC

I'm clearly out of my depth here, sorry. 

If the portage snapshots are made daily, why aren't all the existing GLSAs included? Doesn't this mean that those that can't --sync (eg: behind firewall) can be weeks behind the security alerts?

Comment 3 Sam James archtester

2022-11-01 20:29:46 UTC

(In reply to Paulo M from comment #2)
> I'm clearly out of my depth here, sorry. 
> 
> If the portage snapshots are made daily, why aren't all the existing GLSAs
> included? Doesn't this mean that those that can't --sync (eg: behind
> firewall) can be weeks behind the security alerts?

There were no new GLSAs until yesterday anyway and then when you pulled the snapshot, you did it just before it would've included the latest ones released y'day.

i.e. the snapshot is only ever delayed by at most 24 hours (supposing we release GLSAs _right_ after midnight or bang-on after it starts generating).

Comment 4 John Helmert III archtester

2022-11-01 20:32:27 UTC

Looks like yesterday's snapshot has all of yesterday's GLSAs, so works for me?

Comment 5 mentalstring 2022-11-02 08:58:18 UTC

(In reply to Sam James from comment #3)
> (In reply to Paulo M from comment #2)
> > I'm clearly out of my depth here, sorry. 
> > 
> > If the portage snapshots are made daily, why aren't all the existing GLSAs
> > included? Doesn't this mean that those that can't --sync (eg: behind
> > firewall) can be weeks behind the security alerts?
> 
> There were no new GLSAs until yesterday anyway and then when you pulled the
> snapshot, you did it just before it would've included the latest ones
> released y'day.
> 
> i.e. the snapshot is only ever delayed by at most 24 hours (supposing we
> release GLSAs _right_ after midnight or bang-on after it starts generating).

I get the up to 24h delay. What I hadn't realized is that the GLSAs are released in batches — that confused me since the difference between a rsync and a websync systems were dozens of GLSAs with the latest being already ~2 weeks old on the websync one, which made me think they weren't in sync for a while.

Are these batches of GLSAs just side effect from other vendors reports/timeline, or is it a gentoo policy?

Comment 6 Sam James archtester

2022-11-02 13:10:53 UTC

I think maybe misinterpreting "batches". We tend to write them (it's manual) and release them when we have time. there's no formal schedule, we just write and release them as soon as we can, and within the last few weeks there weren't any ready to go (either no vulnerabilities, no ebuilds ready yet, advisories not yet ready, ...)