Hello all, I was surprised to find out that glsa-check uses GLSAs in the metadata sub-directory in portage, synced down by emerge sync. I was caught out, as I had not been syncing a bandwidth limited machine - instead I was only going to do it when there was a security update available. You can see my problem. No GLSA alerts, so I don't sync, so no GLSA alerts, etc. I expected the glsa-check package to download (a zip of/a signed zip of ?) the latest GLSAs and check that. Is it possible to make this change? This would mean that boxes that were stable, and only updated for security reasons, saved a lot of bandwidth on the mirrors, and for the people running them. Many thanks for your time, and effort in Gentoo anyway. Calum
+1 for me. ;-)
This feature would indeed be nice, but for now you can work around it by first syncing just the glsa part of the portage tree. However, this illuminates another problem with glsa-check: If a glsa concerns a package where you have a vulnerable version installed, but where no "fixed" version exists in portage (perhaps because you don't sync it as often), then glsa-check will happily mark your version unaffected until you sync portage. As it turns out, I've apparently been using an insecure version of tcpdump for some time because of this ...
Not a quick fix, has some semantic issues.
Reopening as this really should be looked at. Note: the man page does specify that you have to keep the tree synced for glsa-check to be useful.
(In reply to Peter Jensen from comment #2) > This feature would indeed be nice, but for now you can work around it by > first syncing just the glsa part of the portage tree. @dev-portage: I think we should add an option to make emerge and/or emaint do this. > However, this illuminates another problem with glsa-check: > If a glsa concerns a package where you have a vulnerable version installed, > but where no "fixed" version exists in portage (perhaps because you don't sync > it as often), then glsa-check will happily mark your version unaffected until > you sync portage. > As it turns out, I've apparently been using an insecure version of tcpdump > for some time because of this ... That sounds like a separate bug that needs to be fixed.
(In reply to Zac Medico from comment #5) > (In reply to Peter Jensen from comment #2) > > This feature would indeed be nice, but for now you can work around it by > > first syncing just the glsa part of the portage tree. > > @dev-portage: > I think we should add an option to make emerge and/or emaint do this. I've posted a proposal here: http://thread.gmane.org/gmane.linux.gentoo.portage.devel/5015
> I've posted a proposal I don't think that really addresses the (original) issue: now you have to know about and run `emerge --sync-glsa` all the time for glsa-check to work. Unless you also propose to make glsa-check run `emerge --sync-glsa` before it does its thing? That could do it. I would prefer to see the GLSAs moved to a separate git repo (which glsa-check could sync), but hey.
(In reply to Michael Orlitzky from comment #7) > > I've posted a proposal > > I don't think that really addresses the (original) issue: now you have to > know about and run `emerge --sync-glsa` all the time for glsa-check to work. It's no worse than the current situation where you have to run emerge --sync, but it is better because you don't have to sync the whole tree when all you want is the glsa data. > Unless you also propose to make glsa-check run `emerge --sync-glsa` before > it does its thing? That could do it. Sure, we could do that. It's a separate feature that depends on the new `emerge --sync-glsa` feature, though. > I would prefer to see the GLSAs moved to a separate git repo (which > glsa-check could sync), but hey. We could do that, but we'd probably still want to merge them into the rsync tree as we do now. That way, we can still leverage the rsync tree for load-balancing.
Sounds good then. It may be worth considering e.g. a `--sync-only` option, ala, $ emerge --sync-only=metadata/glsa which could serve the same purpose for other subdirectories, like metadata/news. But it has the problem that the tree as a whole is supposed to be consistent, and you can break things by updating only a subtree. I'd be fine with saying "don't do that" if it causes problems.
(In reply to Michael Orlitzky from comment #9) > Sounds good then. It may be worth considering e.g. a `--sync-only` option, > ala, > > $ emerge --sync-only=metadata/glsa I think that would expose too much of the implementation details. The intention of the proposed --sync-glsa action is to abstract away the implementation details. That way, the repository layout could change, but --sync-glsa would continue to "do the right thing" as long as we update the code.
I've started working on user-interfaces for emerge and emaint in following branch: https://github.com/zmedico/portage/tree/sync-submodule This adds support for a new --sync-submodule <glsa|news|profiles> option to both emerge and emaint. When this option is used with the sync action, only the selected submodules are synced. Each submodule is referenced using an abstract identifier, which serves to hide the implementation details involving the precise locations of specific submodules within each repository.
(In reply to Zac Medico from comment #11) > This adds support for a new --sync-submodule <glsa|news|profiles> option I've filed bug 534070 for this feature, and I've posted a working patch for it.
glsa-check is included with >=sys-apps/portage-2.3.72 (bug 463952).
