[CentOS] yum-plugin-security

Greg Lindahl lindahl at pbm.com
Sun Nov 23 02:04:56 UTC 2014 

We have an alert for CentOS packages with security updates, and I was
curious how it works. Turns out that what it does is do a search
engine search for

[$package $version site:https://rhn.redhat.com/errata/]

{yeah, doesn't even put $version in quotes!}

And then fetches the top result looking for the string /Security Advisory/

We update all packages to tip whenever we update. This
not-completely-accurate method turns the ordinary "you have some
updates, zzzz" to the occasional "you have security updates! zomg!"

Amusing. Keeps people awake.

Anyway, if we did have such a tool, we should definitely build it such
that the only thing it does is look at your current machine and say,
"you're not at tip, and some of your packages have security
problems. update to tip." That would not increase the size of the
tree nor encourage people to unsafely do partial updates. And it
wouldn't require a huge historical analysis.

-- greg

On Sun, Nov 23, 2014 at 01:54:49AM +0100, Gabriele Pohl wrote:
> On Sat, 22 Nov 2014 17:10:40 -0600
> "John R. Dennison" <jrd at gerdesas.com> wrote:
> 
> > On Sat, Nov 22, 2014 at 11:41:17PM +0100, Gabriele Pohl wrote:
> > > 
> > > I don't like to spend time in creating ugly workarounds..
> > > and therefore would highly appreciate if the CentOS-Developers
> > > will add the data to the yum repositories.
> > > Then I can use Munin to monitor the pending security packages
> > > also for CentOS as now only for my RHEL machines.
> > 
> > It's not that simple.  Please have a look at the list archives in the
> > past couple months where this was addressed.  The threads were either
> > here or on the centos-devel mailing list.
> 
> thanks to Nux! who posted the following link in
> the first reply of this thread:
> 
> ----------------------------
> Begin forwarded message:
> 
> Date: Sat, 22 Nov 2014 12:44:57 +0000 (GMT)
> From: Nux! <nux at li.nux.ro>
> To: CentOS mailing list <centos at centos.org>
> Subject: Re: [CentOS] yum-plugin-security
> 
> 
> This plugin does not work on CentOS, at least not yet, there were previous discussions. e.g.
> http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-and-shellshock-td5710031.html
> ----------------------------
> 
> I read this thread and also another, which is refered to therein:
> http://lists.centos.org/pipermail/centos-devel/2014-September/011893.html
> 
> > If memory serves the primary factor that is holding this up is a space
> > requirements issue; the threads can shed more light on it, however.
> 
> To tell the truth, as a person who is not familiar with the 
> internal structures and procedures of tree building and 
> maintenance of the repositories, I don't really understand 
> why it should be so difficult to handle a "security-update" flag 
> for the update packages, but I have to believe the experts, 
> who make statements on this topic.
> 
> Here is what I picked up when reading the thread from devel list:
> 
> 1. For a valid approach data for all packages over 
> the complete history of the major version is needed.
> 
> 2. At the time the data is only sent to the announce mailing list
> and it will need a big effort with also manual work to 
> collect all the data back from there.
> 
> 3. "it would add significantly to the size required to
> mirror CentOS and require a redesign of how we do trees completely (we
> currently only push the latest tree for each live major version)." (Johnny Hughes)
> 
> 4. The developers fear that the yum-plugin-security functions
> may seduce people to only install the security relevant packages,
> which can cause problems.
> 
> 5. The tools used by scientific linux repo maintainers,
> who support a security classification,  
> are availabe under free software license.
> https://cdcvs.fnal.gov/redmine/projects/python-updateinfo
> 
> My personal view is represented by the mails of Kevin Stange in this thread.
> And I still hope that the issue will be solved by 
> integrating the "security update" flag into the
> CentOS repositories in the future.
> 
> so far and thanks for your replies to all contributors in this thread,
> 
> Gabriele
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

More information about the CentOS mailing list