We have an alert for CentOS packages with security updates, and I was curious how it works. Turns out that what it does is do a search engine search for
[$package $version site:https://rhn.redhat.com/errata/]
{yeah, doesn't even put $version in quotes!}
And then fetches the top result looking for the string /Security Advisory/
We update all packages to tip whenever we update. This not-completely-accurate method turns the ordinary "you have some updates, zzzz" to the occasional "you have security updates! zomg!"
Amusing. Keeps people awake.
Anyway, if we did have such a tool, we should definitely build it such that the only thing it does is look at your current machine and say, "you're not at tip, and some of your packages have security problems. update to tip." That would not increase the size of the tree nor encourage people to unsafely do partial updates. And it wouldn't require a huge historical analysis.
-- greg
On Sun, Nov 23, 2014 at 01:54:49AM +0100, Gabriele Pohl wrote:
On Sat, 22 Nov 2014 17:10:40 -0600 "John R. Dennison" jrd@gerdesas.com wrote:
On Sat, Nov 22, 2014 at 11:41:17PM +0100, Gabriele Pohl wrote:
I don't like to spend time in creating ugly workarounds.. and therefore would highly appreciate if the CentOS-Developers will add the data to the yum repositories. Then I can use Munin to monitor the pending security packages also for CentOS as now only for my RHEL machines.
It's not that simple. Please have a look at the list archives in the past couple months where this was addressed. The threads were either here or on the centos-devel mailing list.
thanks to Nux! who posted the following link in the first reply of this thread:
Begin forwarded message:
Date: Sat, 22 Nov 2014 12:44:57 +0000 (GMT) From: Nux! nux@li.nux.ro To: CentOS mailing list centos@centos.org Subject: Re: [CentOS] yum-plugin-security
This plugin does not work on CentOS, at least not yet, there were previous discussions. e.g. http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-a...
I read this thread and also another, which is refered to therein: http://lists.centos.org/pipermail/centos-devel/2014-September/011893.html
If memory serves the primary factor that is holding this up is a space requirements issue; the threads can shed more light on it, however.
To tell the truth, as a person who is not familiar with the internal structures and procedures of tree building and maintenance of the repositories, I don't really understand why it should be so difficult to handle a "security-update" flag for the update packages, but I have to believe the experts, who make statements on this topic.
Here is what I picked up when reading the thread from devel list:
- For a valid approach data for all packages over
the complete history of the major version is needed.
- At the time the data is only sent to the announce mailing list
and it will need a big effort with also manual work to collect all the data back from there.
- "it would add significantly to the size required to
mirror CentOS and require a redesign of how we do trees completely (we currently only push the latest tree for each live major version)." (Johnny Hughes)
- The developers fear that the yum-plugin-security functions
may seduce people to only install the security relevant packages, which can cause problems.
- The tools used by scientific linux repo maintainers,
who support a security classification, are availabe under free software license. https://cdcvs.fnal.gov/redmine/projects/python-updateinfo
My personal view is represented by the mails of Kevin Stange in this thread. And I still hope that the issue will be solved by integrating the "security update" flag into the CentOS repositories in the future.
so far and thanks for your replies to all contributors in this thread,
Gabriele _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos