search

EESSI / compatibility-layer

Compatibility layer of the EESSI project
https://eessi.github.io/docs/compatibility_layer
GNU General Public License v2.0
12 stars 21 forks source link

Security updates #39

Open peterstol opened 4 years ago

peterstol commented 4 years ago

How do we apply security updates to the compatibility layer in between releases and how often? What is the impact on our design, which would like to keep all versions as fixedas possible to prevent issues higher up the stack?

Gentoo provides glsa-check (https://wiki.gentoo.org/wiki/Security_Handbook/Staying_up-to-date), which works well, but requires a sync of the repo.

emerge --sync
glsa-check -t all
This system is affected by the following GLSAs:
202009-01

Or more verbose..

glsa-check -p $(glsa-check -t all)

Apply security updates glsa-check -f $(glsa-check -t all)

The workflow might be added to our Ansible scripts

bedroge commented 3 years ago

This is what I recently used:

# Sync the overlays
emerge --sync

# Check which GLSA(s) affect our system
glsa-check --list

# Check which version(s) of an affected package we have
qlist -IRv | grep <package name>
# or for a specific package:
qlist -IRv dev-lang/python

# Find the fix for the given GLSA
glsa-check -d <GLSA>

# Fix the affected package(s), e.g.:
emerge --ask --oneshot --verbose "new_version_of_affected_package"

We should document these procedures somewhere.