[Discussion] How do you maintain with upstream packages?

[AamerShareef]

Hi, First of all I would like to thank the maintainers of repository. It is much appreciated, to take the time and effort to maintain ebuilds for all the tools; for the people in infosec and gentoo community.

I have a general question, for discussion purposes. Apologies, if the sounds like a common question. I have tried my best to understand the context. I am very much interested in how pentoo keeps track of latest releases of each security tool/package in the repo.

Is there an automated way where the maintainers get informed about newer releases from the upstream sources? I assume not all the upstream packages will have RSS feeds for informing of newer releases. Or is the entire effort based on pentoo users requesting for newer package version or version bumps?

Any comments/discussions on this is appreciated!

[blshkv]

Hi, thank you for the good words. Unfortunately, Gentoo does not provide a reliable mechanism and we are not ready to reinvent it. I wish if we could hook up and use existing Debian or any other notification tools. It were few attempts by schoolboys to write one from scratch such as app-portage/euscan but that was a wrong design using grep and not a proper API (for github for example)

So we have to use any sources really: RSS, github notification, upstream notifications (wpscan notifies us directly for example). I also monitor https://repology.org/metapackages/outdated-in-repo/gentoo_ovl_pentoo/ manually but it also means we are one step behind.

I have also tried https://release-monitoring.org/distro/Pentoo/ (Fedora-base) but didn't figure out how to get useful (Pentoo related) notifications.

What is the purpose of your question?

[AamerShareef]

Hi blshkv, Thank you so much for the clarification. Quite insightful!

The purpose you could say is that I am learning how different distributions approach package management so that I can build a pentesting distro to my fine tuning and maintain it. And I believe this is what made Pentoo start in the first :) (Please do correct me if I presume wrong here)

I really like how Gentoo offers fine control and how the EBUILDS are organized in the file system, and I plan to install it on my system. Making a system from scratch (not LFS, but Gentoo and Arch for example) would strongly rely on good methods/approach of managing the packages. This is my limited understanding.

This made me curious on how EBUILDS and PKGBUILDS would be maintained with upstream.

Your answer has now made me curious to think if Arch based users use similar methods to keep track of the packages say on AUR/BlackArch/ArchStrike with upstream providers? Also, How does detecting dependencies in Pentoo Overlay + Gentoo, and Arch + Blackarch/Archstrike differ?

Any insights would be helpful. :) Thank you!

[blshkv]

no idea how arch monitors it, but Gentoo ebuilds looks more advanced, i.e. eclasses does a lot of job. I'm sure arch can be improved as well since both distros use bash. In terms of dependencies, it depends on a language. We call a relevant mechanism (python, ruby) if it is available. However, there is a big portion of manual job as well. Obviously, optional dependencies need to be done manually too.

[AamerShareef]

I see. That's interesting. Thank you for explaining that. This is just an idea at the moment, but do you think we can have something similar for Pentoo in terms of implementation (or better) compared to ArckStrike Pkgupdate system, for looking for upstream updates?

[blshkv]

Im ready to use whatever works

[ephemer0l]

app-portage/euscan

[blshkv]

@ephemer0l read before you talk

[ephemer0l]

Let me elaborate, this is a good tool for tracking upstream on some projects.

https://github.com/iksaif/euscan

[blshkv]

I said in the very first comment. The tool sucks big time.