On Monday 11 May 2009 18:26:10 Stanislav Brabec wrote:
It is not sufficient. You want to tell user this fact only once, only and only if the old version was vulnerable and the new is not.
This is different from insnotify(), which is called every time package is updated.
As nobody is forced to install each update (especially in OBS), you cannot do it just for a single versions.
It can even happen that one is updating from vulnerable SLES10 to fixed SLES11. Even then displaying of "must see" advisory is important.
So you want the advisory metadata to be a list of condition (translated?) text condition (translated?) text ... Where the conditions are evaluated based on the pre-commit state of the system. If the condition is met, the text snippet is included in the final advisory. Condition might be more than just a version or version range, e.g. if some vulnerability was fixed by replacing/renaming a package? Things may become tricky, if you update a package while a still unconfirmed advisory for the old version is present, esp. if the new version also ships an advisory. I guess deleting the package should delete the advisory. Advisory metadata should be available, even if the package was installed by non-SUSE tools?
In the best case user should be warned every time package management is started online (from command line or GUI) until user confirms that advisory was read and action was taken (or considered not being affected).
Confirming this message should be even more privileged action than installing a security update itself - on a typical desktop it's OK to click OK for update by user, but it's not OK to click "I reformatted all smart cards" by user.
The final advisory had to be placed somewhere in the filesystem, so you can nag the user until he confirmed. We could think about including advisory metadata in the rpm-package. E.g as file in /var/adm/update-advisories/<package>-<version>. Similar to ../update-messages. So they get installed and vanish together with the package. As a goody, zypp post commit could check for newly installed advisories, maybe beautify them, and maintain the 'nag'-status. As a consequence, the advisory metadata are not available until the package is actually installed. If we'd need to show this info in advance, we'd need to duplicate them into the repos package metadata. Maybe we can even unify update-advisories and update-messages. There's not much difference. -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres YaST Development ma@novell.com SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 740 53-0 +------------------------------------------------------------------+ -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org