The Sabayon overlay and security updates

Anything that pertains to Portage

Moderator: Moderators

Post Reply
Cioran
Baby Hen
Posts: 1
Joined: Tue Jun 19, 2007 21:24

The Sabayon overlay and security updates

Post by Cioran » Fri Jun 22, 2007 21:13

Hi,

I'd be interested in installing Sabayon Business Edition as and when it's released, not least because of Gentoo's reputation for timely security fixes.

Given that Sabayon consists in part of a custom overlay, though, my question is this: for Sabayon users who choose to remain with stable rather than test releases, how often is that overlay updated for security purposes, and where can I find a changelog reflecting those updates?

Garth

Dark_MaGe
Your Farmer
Posts: 1699
Joined: Thu Jun 29, 2006 8:19
Location: Catania Italy
Contact:

Post by Dark_MaGe » Sun Jun 24, 2007 20:26

as long as we find bugs and people report them we might fix them, the only problem is that we are in two, and we lack both people and funds, so since we need to work, or study or anything else to keep going on a normal life and make a living, we do this as a hobby more than a real job, we can't afford to spend 24 hours a day working on it, donations are just enough to pay the bills, not surely to make wage or anything of the kind...so any bug or security issue will be fixed...but with our times
Image

Fitzcarraldo
Sagely Hen
Posts: 8218
Joined: Sat Mar 10, 2007 5:40
Location: United Kingdom
Contact:

Post by Fitzcarraldo » Mon Jun 25, 2007 14:33

^ And you guys do a great job. I'm here running SL 3.4 Loop 2b and watching a DivX video with SMPlayer, browsing the Web using Firefox and Konqueror, reading my e-mails with Thunderbird, scanning some sketches with Kooka and attaching them to a letter in OOo Writer and listening to streaming BBC Radio 4 using KMPlayer (which I think you should put back onto the 3.4 LiveDVD, BTW ;-) ).

Grazie. Avanti Italia! :D

voxiac
Advanced Hen
Posts: 218
Joined: Sat Feb 10, 2007 17:05
Location: Denmark

Post by voxiac » Mon Jun 25, 2007 15:08

Fitzcarraldo wrote:^ And you guys do a great job. I'm here running SL 3.4 Loop 2b and watching a DivX video with SMPlayer, browsing the Web using Firefox and Konqueror, reading my e-mails with Thunderbird, scanning some sketches with Kooka and attaching them to a letter in OOo Writer and listening to streaming BBC Radio 4 using KMPlayer (which I think you should put back onto the 3.4 LiveDVD, BTW ;-) ).

Grazie. Avanti Italia! :D
Sorry to be a spoil-sport but OP's use case is completely different from yours. He wants only tried and tested packages with something like this for Sabayon overlay:
http://www.gentoo.org/security/en/glsa/
to ensure that there're no discovered vulnerabilities in those stable packages and also that unstable packages with security fixes would be stabilized ASAP. You might not care about this since you're using the newest packages anyway, but OP obviously do.

I fully understand that devs can't do everything but here are my thoughts about how it could be done.
[2cents]
The best solution would be integrating overlay support in GLSAs but it'll take some time to convince Gentoo to do that (if they don't refuse that altogether at once). The next best solution is to create SLSA(Sabayon Linux Security Advisories) and perhaps a tool like glsa-check for that. Of course for this to function there should be people who is knowlegable about security(is there any among us?) to actually watch the situation and report vulnerabilities in the packages in Sabayon overlay to bugzilla.
I don't know whether some automated scripts can help out in this (like make a script which'll scan RSS of vulnerabilities from say secunia and compare it with packages in the overlay).
[/2cents]

Fitzcarraldo
Sagely Hen
Posts: 8218
Joined: Sat Mar 10, 2007 5:40
Location: United Kingdom
Contact:

Post by Fitzcarraldo » Mon Jun 25, 2007 17:36

You're not a spoilsport at all, voxiac, so no need to apologise. I understand perfectly where the first poster is coming from -- I use SL on my laptop for both business and pleasure, and have used it for work in three different countries already -- so my "use case" is varied and I would be the first to welcome regular security updates, especially as I use my laptop in all sorts of offices and hotels around the world. What I was trying to convey to Dark_MaGe (and lxnay) is "you're doing a fantastic job, keep up the great work" and "do what you can because, with just two (?) devs, I'd rather have what there is -- which already accomplishes a heck of a lot -- than no SL at all".

voxiac
Advanced Hen
Posts: 218
Joined: Sat Feb 10, 2007 17:05
Location: Denmark

Post by voxiac » Mon Jun 25, 2007 19:22

Fitzcarraldo wrote:"do what you can because, with just two (?) devs, I'd rather have what there is -- which already accomplishes a heck of a lot -- than no SL at all".
Yup, so the obvious solution is to recruit more devs. The problem is however that there is no systematic approach to recruitment now. What I would like to see is something like this:
http://www.gentoo.org/proj/en/devrel/ha ... ndbook.xml
It doesn't need to be very extensive and could just as well be:
"Here's how you checkout our SVN, look there, understand the code and begin submitting patches. If we deem them worthy you get commit access". It must be also clear where they'd like others to help.
It could be everything from "Project Ideas" page on the wiki to the list of bugs on the bugzilla so everyone can look at those tasks of varying complexity, think which of those they can help out with, begin hacking on something rigt away and then if it becomes something neat show it to the devs.
People have to undestand that it's not the dev sticker which empowers you to contribute but only you skills (programming, ebuildism, undestanding of portage's inner workings, etc.).

EDIT yay a step in the right direction:
http://planet.sabayonlinux.org/?p=47

Post Reply