Opened 10 years ago
Last modified 10 years ago
#43291 new enhancement
more integrated security notification: security page, port selfupdate notice, ...
| Reported by: | jul_bsd@… | Owned by: | macports-tickets@… |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | base | Version: | |
| Keywords: | Cc: | ||
| Port: |
Description
Currently, macports does not make any difference about update, be it general/functions, security, reliability or else. It would be nice if for more aggravated categories, there were better notification to user to encourage applying update ASAP. While any competent administrator should be aware of security-announce@ list for his software, that's probably only a part of macports' users.
My wishlist
- port selfupdate and sync would notify user that there are some security/reliability update pending, eventually listing them
- have a /security/ webpage which lists updates in this category, possibly w a RSS feed
As a comparison point
- OpenBSD ports had a webpage but was removed in favor of mailing-list
http://www.openbsd.org/pkg-stable41.html http://www.openbsd.org/cgi-bin/cvsweb/www/pkg-stable41.html
- FreeBSD and NetBSD seems to rely on a port audit command
http://www.freebsd.org/doc/handbook/security-portaudit.html http://vuxml.freebsd.org/ http://www.netbsd.org/support/security/ http://ftp.netbsd.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities
- DragonFly as an audit command
http://www.dragonflybsd.org/docs/howtos/HowToDPorts/
- Fink has a security policy but no package listing or notification it seems
http://fink.thetis.ig42.org/doc/security/sec-policy.en.html
- find nothing for homebrew
Change History (2)
comment:1 Changed 10 years ago by ryandesign (Ryan Carsten Schmidt)
comment:2 Changed 10 years ago by jul_bsd@…
3 ways
- have a subset livecheck.security for tool where there is a security webpage probably with hash or hash+regexp
http://www.openssh.com/security.html https://httpd.apache.org/security_report.html http://www.isc.org/downloads/software-support-policy/security-advisory/ https://www.openssl.org/news/ https://drupal.org/security https://www.ruby-lang.org/en/security/ http://www.postgresql.org/support/security/ https://www.python.org/news/security/
- a port audit command which could check livecheck.security and general security pages like
http://cve.mitre.org/ http://www.cvedetails.com/ http://www.securityfocus.com/vulnerabilities http://vuxml.freebsd.org/freebsd/index.html http://ftp.netbsd.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities
- a web page, not that much to reference every security update (could if automated way but it already exists on other systems) but at least give a way to check security of your installed port and give very important security announce/RSS as a complement to mailing-list, security contact
Of course, if author of a tool say nothing about a security fix and nothing is known publicly elsewhere, there is no way to tell. Ideally, the test infrastructure would make a livecheck once/day-week-whatever you like and notify maintainer or a defined list an update is pending. If it matches livecheck.security, it could be stressed out
Replying to jul_bsd@…:
Where and in what format would you propose that we store this information? This also presupposes that the persons updating ports are aware of when an update is a security update and when it is not; this is probably not always the case. A lot of maintainers such as myself probably just use
port livecheckto find new versions, and update the port to that version, without much further investigation.This presupposes that we have the above information about what updates were security updates.