summaryrefslogtreecommitdiff
blob: bcdd3d303ff746e56ca34d46d7d83e451a522501 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
---
GLEP: 14
Title: security updates based on GLSA
Author: Marius Mauch <genone@genone.de>
Type: Standards Track
Status: Accepted
Version: 1
Created: 2003-08-18
Last-Modified: 2014-01-17
Post-History: 2003-08-22, 2003-08-24, 2003-11-10, 2004-10-25
Content-Type: text/x-rst
Requires: 21
---

Abstract
========

There is currently no automatic way to check a Gentoo system for identified
security holes or auto-apply security fixes. This GLEP proposes a way to deal
with this issue

Status Update
=============

Preliminary implementation ``glsa-check`` in gentoolkit, final implementation 
pending set support in portage (GLEP 21).


Motivation
==========

Automatic checking for security updates is a often requested feature for Gentoo.
Implementing it will enable users to fix security holes without reading every
security announcement. It's also a feature that is often required in enterprise
environments.


Proposed change
===============

Update tool
-----------

The coding part of this GLEP is a update tool that reads a GLSA, verifies its
GPG signature, checks if the system is affected by it and executes one of the 
following actions, depending on user preferences:

- run all steps necessary to fix the security hole, including package updates and
  daemon restarts.
- instruct the user how to fix the security hole.
- print the GLSA so the user can get more information if desired.

Once this tool is implemented and well tested it can be integrated into portage.
A prototype `implementation`_ for this tool exists.


GLSA format
-----------

The GLSA format needs to be specified, I suggest using XML for that to simplify
parsing and later extensions. See `implementation`_ for a sample DTD. The format
has to be compatible with the update tool of course. If necessary a converter
tool or an editor could be written for people not comfortable with XML (update:
a QT based editor for the GLSA format written by plasmaroo exists in the 
gentoo-projects repository). Every GLSA has to be GPG signed by the responsible 
developer, who has to be a member of the security herd.


GLSA release process
--------------------

Additional to sending the GLSA to the gentoo-announce mailing list it has to be
stored on a HTTP/FTP server and in the portage tree. I'd suggest a script should 
be used to release a GLSA that will:

- check the GLSA for correctness
- sign the GLSA with the developers GPG key
- send a mail to gentoo-announce with the XML GLSA and a plaintext version attached
- upload it to www.gentoo.org/security/en/glsa (via cvs commit)
- put it on the rsync server (via cvs commit)
- notify the moderators on the forums to make an announcement


Portage changes
---------------

Until the `update tool`_ is integrated into portage there will be no code changes
to portage. The update tool might require a few new configuration options, these
could be placed in make.conf or another config file in /etc/portage.


Rationale
=========

The lack of automated security updates for Gentoo is one of the most often requested
features for portage as it is one of the standard features of other distributions.
As Gentoo already provides GLSAs for important security bugs it is only natural
to use these to implement this feature.

To parse a GLSA in a program the format needs to be specified and a parser has
to be written. I suggest the use of XML for future GLSAs for the following reasons:

- can be parsed and validated with existing libraries
- easy to extend while maintaining backwards compatibility
- tools can convert XML GLSAs in other formats, the other direction would be harder
- websites can use XSLT to markup GLSAs

Putting the GLSAs in the portage tree allows all users to check their systems
for security updates without taking more actions and simplifies later integration
of the update tool into portage. For security minded persons the GLSAs are 
available on a HTTP server to ease the load of the rsync servers.

To verify the signatures of the GLSAs the public keys of the developers should be
available in the portage tree and on the HTTP server. The verification is necessary
to prevent exploits by fake GLSAs.


Implementation
==============

A prototype implementation (including the update tool, a DTD and a sample
XMLified GLSA) exists at http://gentoo.devel-net.org/glsa/ and in the 
gentoo-projects/gentoo-security/GLSA repository. This GLEP is based 
on that implementation, though it can be changed or rewritten if necessary.


Backwards compatibility
=======================

The current `GLSA release process`_ needs to be replaced with this proposal. It 
would be nice if old GLSAs would be transformed into XML as well, but that is
not a requirement for this GLEP.


Copyright
=========

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0
Unported License.  To view a copy of this license, visit
https://creativecommons.org/licenses/by-sa/3.0/.