[CentOS] documentation for kernel

Thu Sep 18 16:13:20 UTC 2014
Johnny Hughes <johnny at centos.org>

On 09/18/2014 10:37 AM, m.roth at 5-cent.us wrote:
> Johnny Hughes wrote:
>> On 09/17/2014 04:58 PM, Sven Kieske wrote:
>>> On 17.09.2014 03:15, Johnny Hughes wrote:
>>>>> Thank you, how can I query which updates that are available are
>>>>> security updates?
>>>
>>>> you can't .. other than to look at the centos-announce mailing
>>>> list
> 
> Not exactly correct. You can install yum-plugin-security. From rpm -qi:
> Description :
> This plugin adds the options --security, --cve, --bz and --advisory flags
> to yum and the list-security and info-security commands.
> The options make it possible to limit list/upgrade of packages to specific
> security relevant ones. The commands give you the security information.
> <snip>

yum-security also works on RHEL, but not on CentOS .. I write this stuff
and release it, if there was a way, I would tell you.  There isn't.
yum-security also requires something we don't have and is all part of
the effort I talked about before.

>> We would certainly be glad to have some community members create and
>> maintain packages for this, as well as maintaining spacewalk security
>> information as well.
> 
> Well, I implemented spacewalk in '09, at a short term contract I was on. I
> hope I *NEVER* have to deal with that again.... Let's see, at the time, it
> *required*, and wouldn't work with *anything* other than Oracle. And to
> get it working, and it was not a huge server farm at that job, I had to
> tweak Oracle (the free version) to use 992M of its allowed 1G memory (the
> default was significantly lower). And the tools were *not* well
> documented. I think it went from 0.3.x to 0.3.x+2, or maybe 0.4; IMO,
> nowhere ready for prime time.
> 
> Oh, and it used cobbler, so I guess it was a complicated gui on top of
> cobbler....
> 

What needs to be maintained is a full database of all the CVE info.  We
can't use the Red Hat one and someone would need to find the time to
track, test, and input said data to be able to use yum-security and
generate the metadata for spacewalk security issues.

Thus takes time.  We currently have 4 team members to maintain 3 active
distros, maintain all the infrastructure that the teams use, do all the
cloud images that people see, represent CentOS at all the trade shows, etc.

The reason the process is opened up and is community is so people can
step up and do all these additive things in a SIG.

So, if you (not mark, but any of YOU) want something, figure out how it
can be done and make recommendations on how to make it happen.

Take this issue ... yum security does not work unless there is:

1.  Once single big repo of all RPMs in one place (Note:  we don't so
this, we need a modification to the process to allow it to look at
vault.centos.org or maybe if all the other issues are solved, we can
create a combined repo specifically for this).

2.  We need a database (or other mechanism) that holds all the required
info.  This data needs to maintained.  We currently do the mailing list
of CentOS announce.  If that contains all the data and all it needs is
reformatting, then great ... or we may need other data.

So, what we need is for people to look at what is out there, figure out
what is needed, figure out how to change programs (if required), how to
maintain the data, etc.

Thanks,
Johnny Hughes


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20140918/2824ab23/attachment-0005.sig>