Mailinglist Archive: zypp-devel (47 mails)
| < Previous | Next > |
Re: [zypp-devel] "must see" advisories for security updates, distro upgrades, OBS
- From: Michael Andres <ma@xxxxxxx>
- Date: Tue, 19 May 2009 13:09:12 +0200
- Message-id: <200905191309.12672.ma@xxxxxxx>
On Monday 11 May 2009 18:26:10 Stanislav Brabec wrote:
So you want the advisory metadata to be a list of
condition
(translated?) text
condition
(translated?) text
...
Where the conditions are evaluated based on the pre-commit state of the
system. If the condition is met, the text snippet is included in the final
advisory. Condition might be more than just a version or version range, e.g.
if some vulnerability was fixed by replacing/renaming a package?
Things may become tricky, if you update a package while a still unconfirmed
advisory for the old version is present, esp. if the new version also ships
an advisory.
I guess deleting the package should delete the advisory.
Advisory metadata should be available, even if the package was installed by
non-SUSE tools?
The final advisory had to be placed somewhere in the filesystem, so you can
nag the user until he confirmed.
We could think about including advisory metadata in the rpm-package. E.g as
file in /var/adm/update-advisories/<package>-<version>. Similar
to ../update-messages. So they get installed and vanish together with the
package.
As a goody, zypp post commit could check for newly installed advisories, maybe
beautify them, and maintain the 'nag'-status.
As a consequence, the advisory metadata are not available until the package is
actually installed. If we'd need to show this info in advance, we'd need to
duplicate them into the repos package metadata.
Maybe we can even unify update-advisories and update-messages. There's not
much difference.
--
cu,
Michael Andres
+------------------------------------------------------------------+
Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4
+------------------------------------------------------------------+
Michael Andres YaST Development ma@xxxxxxxxxx
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 740 53-0
+------------------------------------------------------------------+
--
To unsubscribe, e-mail: zypp-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: zypp-devel+help@xxxxxxxxxxxx
It is not sufficient. You want to tell user this fact only once, only
and only if the old version was vulnerable and the new is not.
This is different from insnotify(), which is called every time package
is updated.
As nobody is forced to install each update (especially in OBS), you
cannot do it just for a single versions.
It can even happen that one is updating from vulnerable SLES10 to fixed
SLES11. Even then displaying of "must see" advisory is important.
So you want the advisory metadata to be a list of
condition
(translated?) text
condition
(translated?) text
...
Where the conditions are evaluated based on the pre-commit state of the
system. If the condition is met, the text snippet is included in the final
advisory. Condition might be more than just a version or version range, e.g.
if some vulnerability was fixed by replacing/renaming a package?
Things may become tricky, if you update a package while a still unconfirmed
advisory for the old version is present, esp. if the new version also ships
an advisory.
I guess deleting the package should delete the advisory.
Advisory metadata should be available, even if the package was installed by
non-SUSE tools?
In the best case user should be warned every time package management is
started online (from command line or GUI) until user confirms that
advisory was read and action was taken (or considered not being
affected).
Confirming this message should be even more privileged action than
installing a security update itself - on a typical desktop it's OK to
click OK for update by user, but it's not OK to click "I reformatted all
smart cards" by user.
The final advisory had to be placed somewhere in the filesystem, so you can
nag the user until he confirmed.
We could think about including advisory metadata in the rpm-package. E.g as
file in /var/adm/update-advisories/<package>-<version>. Similar
to ../update-messages. So they get installed and vanish together with the
package.
As a goody, zypp post commit could check for newly installed advisories, maybe
beautify them, and maintain the 'nag'-status.
As a consequence, the advisory metadata are not available until the package is
actually installed. If we'd need to show this info in advance, we'd need to
duplicate them into the repos package metadata.
Maybe we can even unify update-advisories and update-messages. There's not
much difference.
--
cu,
Michael Andres
+------------------------------------------------------------------+
Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4
+------------------------------------------------------------------+
Michael Andres YaST Development ma@xxxxxxxxxx
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 740 53-0
+------------------------------------------------------------------+
--
To unsubscribe, e-mail: zypp-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: zypp-devel+help@xxxxxxxxxxxx
| < Previous | Next > |