[CentOS-devel] yum-plugin-security and shellshock

Wed Oct 1 19:41:49 UTC 2014
Kevin Stange <kevin at steadfast.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/01/2014 01:10 PM, Johnny Hughes wrote:
> On 10/01/2014 12:58 PM, Johnny Hughes wrote:
>> On 10/01/2014 12:11 PM, Kevin Stange wrote:
>>
>> <snip>
>>
>> CentOS is the community .. why don't you figure it out and maintain it
>> as a SIG?
>>

If the idea of a SIG permits managing changes to the core distribution's
repodata to add this metadata, then it can be a SIG, but the SIG will
need direct access to the mirror network to implement the required changes.

But I don't think this should be a SIG.  It should be part of the core
product and it should be done in real time when the repos are updated
and the update bulletins are created.

> How would we handle this scenario:
> 
> I user has 6.3 installed, they have never updated.  We are on 6.5.
> 
> Package abc-1.2.3 is installed on their machine, it is on the 6.3 iso
> that they installed from.
> 
> Package abc-1.2.4 is a security update and in 6.4.
> 
> Package abc-1.2.5 is a bugfix only update in 6.5.
> 
> The guy says .. yum update security only.
> 
> The info in the xml file says abc-1.2.4 is the right package, but it is
> not installable from 6.5 .. what happens?

I'll be honest: I don't care about this scenario at all.  My spacewalk
server would take care of this just by virtue of CentOS having the data
ever available for these packages and constantly keeping itself current.

However, in this case, what would happen would be that 1.2.4 would not
exist in the updateinfo.xml at all, so the user would receive no update
for that particular package on the basis of security, but would still
receive updates for all the other security packages marked in
updateinfo.xml.  Maybe that creates a false sense of security, but why
have they not been installing these updates from 6.3 to 6.5 in the
meantime?  Perhaps they don't follow the centos-announce list and have
missed out on all CESAs in the past few years.  The updateinfo.xml
enables continuously keeping tabs on security issues as they come up,
and it's perfectly effective when people are doing reasonable things
already with regard to selectively installing security updates are
caught up to current (6.5) distribution.

Honestly, if someone is using 6.3 and has not been keeping up with
security or upgraded to 6.4 or 6.5 by now, it's really already such a
bad state that I don't think it matters if this should work.  I don't
think it is appropriate to dismiss the entire idea on the basis that
some people doing unreasonable things won't find it useful.

My interest in this feature has nothing to do with selective updating.
That is not my objective and I don't care if it works.  I am interested
in metadata that provides information, so people have easier and
pervasive access to that data when they perform their regular updates to
the supported versions of the system.

Having the only source of information be the centos-announce mailing
list is the problem I want solved.  There should be a feed that makes
use of the already existing tools that ship with the system, and that is
what updateinfo.xml is for.

- -- 
Kevin Stange
Chief Technology Officer
Steadfast | http://steadfast.net
Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQsWP0ACgkQkd/BoeKjg0i6GACfXV/edahUXEgFNk3ZSG1O/w4a
99wAn0PyNeddV67faRN3rvmGOpH0Cxrt
=6Cod
-----END PGP SIGNATURE-----