[CentOS-devel] yum-security and CentOS-5 / 6

Wed Aug 1 16:49:16 UTC 2012
Karanbir Singh <mail-lists at karan.org>

hi Guys,

with a bit of time opening up, I've gone back to looking at the
yum-security issue and how we can address it ( i.e: atleast get the
basics working ).

I plan on doing the work in multiple stages as :

step1: get a basic set of metadata online so that people can detect if
an update is tag'd security, bugfix or enhancement

step2: get some more metadata added in, with bug id's and cve's into
that metadata

step3: get everything rolled out by default on all centos installs and
look at how external projects like spacewalk/pulp etc consume this metadata

At the moment, I'm only thinking about things and trying to scope out
the work. However, there is one issue that might be a spanner in the
works based on how we have mirror.centos.org setup.

What we have right now only provides for the <version>.<release> rpmset
and updates but only in relation to that specific tree (eg. /6.3/ is
what /6/ maps to at the moment ). Yum-security metadata in this repo
would then only be relevant to the rpms contained in /6.3/, whatever
repo they might be in - however, someone running 6.0 or 6.1. when
checking for updates is likely to miss interim updates that were
security tag'd at some release level or the other.

One way to work around this would be to have yum consider all interim
package metadata between installed.rpm and latest-in-repo.rpm ( which
would then mean that we would need the yum-security metadata to contain
all info for everything ever released ; isnt a problem as such ).

Or we setup a repo that has everything ever released. This in turn has
some serious caveats. Storage on every mirror being a good problem to
start with - however, in limited tests it looks like yum will work with
redirect, so while we would need the metadata to contain all packages,
the physical packages can still be handed out from vault.centos.org, but
that redirect foo needs some level of smartness on the mirror end;
trivial to implement when we control the mirror.centos.org network,
however a very large part of the mirror services are offloaded to
external mirrors - hundreds of them. Its super tricky getting smartness
onto each and every one of their machines.

Thoughts, concerns, ideas ? There is no 'work' thats been done at this
point on the problem, so we can take pretty much any course of action
that seems sane.

I feel its important that if we are going to provide a mechanism that
people will then in turn rely on to get patch requirements for their
machines, we need to make sure we have 100% coverage.

Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
ICQ: 2522219    | Yahoo IM: z00dax      | Gtalk: z00dax
GnuPG Key : http://www.karan.org/publickey.asc