| Summary: | Update security document to state 'emerge -uD world' is not enough to keep secure | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Cameron Blackwood <korgg2> |
| Component: | Vulnerabilities | Assignee: | Xavier Neys (RETIRED) <neysx> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | docs-team, security |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Cameron Blackwood
2005-09-21 19:10:10 UTC
I agree. Reassigning to the docs guys. The solution for this would be to explicitly install those packages? or using glsa-check to install them? or? Im not sure... i was only running emerge world to update, i didnt realise that didnt install security fixes until I ran glsa-*. All in all im left a little confused by exactly how I sould keep my gentoo system uptodate and secure. Someone mentioned that it was possible for emerge to lose track of packages that move group, so im not sure if thats what was causing it or if it was just emerge being a bit simple, or what. This lead me to wonder exactly what the best way to verify my gentoo system was and I couldnt find that in the docs, but it must be a common question. emerge -uDNpv world glsa-check -l |& grep '\[N\]' and revdep-rebuild seems to be a start, but an offical 'this is how to make your system uptodate and secure' is still needed (i think). (Assuming that it is possible.... which one assumes it must be, short of installing everything from scratch every day to avoid changed use flags, group moving packages and security updates :). I just wanted to say that im not picking, I love gentoo! But if anyone can answer the question, then lets get them to dump it in the docs.. please? Yeah, I completely understand your point...which is why I asked the question :) CC'ing security for a solution, which we can then put into the docs. Comment #2 would need to be answered. TIA sec team. I do it manually, but I guess that would do: # Apply all unapplied GLSAs (significant fixes in stable packages) glsa-check -f $(glsa-check -t all) # Upgrade everything else to get the fixes in ~ packages (if you use some) emerge -uDpv world # Upgrade your kernel to the last available version emerge your-sources && [compile/install the new kernel] # Restart affected services (or reboot to be sure) ... About revdep-rebuild, I don't think it's needed for security reasons, it's more needed to compensate some non-seamless updates. Not running it potentially results in broken packages, not insecure ones. Other security members mileage may vary, so better wait for their opinion. I do it manually too. Though chapter 14 of the Security Handbook sums it up pretty well. The only thing that I think is missing is a note saying that emerge world is not enough. (In reply to comment #6) > emerge world is not enough. Sounds like a James Bond title. Ok, maybe its silly, but I still feel that if you're going to take the time to
say "emerge world is not enough" then can it really hurt to add the logical "...
but this is what you need"?
Not that I have a vote :), but if I did have one, it would be for putting a list
of the commands that are required to get an uptodate, secure, valid system.
(So, lets make that emerge -uDNpv world to catch changed use flags and add in
any other command that catches stuff like that...)
So, can we improve on:
emerge sync
emerge -uDNpv world
glsa-check -l |& grep '\[N\]'
revdep-rebuild -p
??
I don't think you need the N everytime... emerge -uD[p]v world and glsa-check -l | grep "\[N\]" should do. (In reply to comment #8) > Not that I have a vote :), but if I did have one, it would be for putting a list > of the commands that are required to get an uptodate, secure, valid system. Like I said, it's hard to translate into commands, especially since YMMV about how you do a new kernel installation. > So, can we improve on: > > emerge sync > emerge -uDNpv world > glsa-check -l |& grep '\[N\]' > revdep-rebuild -p > ?? See my above comment #5. It lists commands and actions that I think are necessary. Your commands miss the kernel installation and the services restart. Also revdep-rebuild has nothing to do with security, it deals with packages that have been broken during an upgrade. doc team any news opinion on this one Would the changes displayed on http://gentoo.neysx.org/mystuff/shb-uptodate.xml make you happy? The following note is incorrect: Some people still prefer to use emerge packagename instead of glsa-check -f so all GLSAs are listed as [N]. (In reply to comment #13) > The following note is incorrect: > > Some people still prefer to use emerge packagename instead of glsa-check -f so > all GLSAs are listed as [N]. Removed. Better now? I think its much better. I cant shake the feeling that the fact everyone says 'oh i just do it by hand' is somehow wrong, but thats a meta issue. I think the doc change is much better. Latest changes committed. Please reopen if required. In that case, a patch against [gentoo]/xml/htdocs/doc/en/security/shb-uptodate.xml would be much appreciated. |
