Mailinglist Archive: opensuse-factory (551 mails)

< Previous Next >
Re: [opensuse-factory] EOL feature

on Freitag, 27. Mai 2011, Marcus Meissner wrote:
On Fri, May 27, 2011 at 11:31:15PM +0200, Dimstar / Dominique
Leuenberger wrote:
Before we get any release EOL, we publish a last / final 'security'
update for aaa_base with a 'license' text, that is actually an
announcement of EOL of any given release.

We did this previously (some releases ago), but the message display
code is no longer there.

We have post-update messages still, but...
... PackageKit and its updaters I think do not show them, so they are
quite useless.

Did someone say that you should use post-update messages? ;-)

PackageKit can display license texts - so IMHO the way to go is to
provide an update for aaa_base with an EOL message as license.
(I know that a EOL warning is, strictly speaking, not a license - but
hey, we are searching for working solutions, not for 100% name
compliance ;-)

Btw, the 11.2 update repo is still there,

The 11.1 repos are also still there, but the update repo come with a
little problem. (This problem probably also exists for 11.2.)

The update repos contain an expiration date to avoid that someone who
uses a mirror directly (without download.o.o) doesn't notice if this
mirror doesn't update the repo anymore (which could even be used by
attackers to keep security holes open).
The expiration date is a good idea to prevent "outdated mirror attacks",
and I don't want to miss it.

The problem is that this expiration date is no longer updated for 11.1 -
which is somehow understandable, but also annoying when using evergreen.
My daily update notificaton [1] sends me a warning every day that the
11.1 update repo is outdated :-/

And I don't want to remove the 11.1 update repo - otherwise when
installing a new package, I could get a non-patched package that got an
"official" security update, but not an evergreen update.

The question is: how can we solve this?

The easiest way is to regularly update the expiration date in the 11.1
update repo metadata. Just re-enable the script that did this while 11.1
was supported ;-)

A more complex way (probably only for future releases) would be to have
something in the evergreen repo metadata that can supress the "outdated
repo" warning for the $version update repo.
An alternative (and more secure) way would be a zypper config option
that can selectively supress error messages ("supress 'outdated repo'
warning for the 12.1-update repo").

Oh, there's a third way: allow evergreen to publish the updates in the
official 11.1 update repos.

And: Yes, I'm aware that some of my ideas might not be what the security
team likes ;-)


Christian Boltz

[1] you probably know patch2mail ;-)
BTW: the current version in home:cboltz also lists package updates
by default to follow the update notification behaviour in 11.4.
I did not update the factory package yet.

Lies halt mal dclp.*, da faellt dir nix mehr ein. Wenn man ein
Guerteltier ueber die Tastatur abrollt, kommt besserer PHP Code
raus als da gepostet wird. [R. Huebenthal in darw]
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups