Opened 11 years ago

Last modified 11 years ago

#43291 new enhancement

more integrated security notification: security page, port selfupdate notice, ...

Reported by: jul_bsd@… Owned by: macports-tickets@…
Priority: Normal Milestone:
Component: base Version:
Keywords: Cc:
Port:

Description

Currently, macports does not make any difference about update, be it general/functions, security, reliability or else. It would be nice if for more aggravated categories, there were better notification to user to encourage applying update ASAP. While any competent administrator should be aware of security-announce@ list for his software, that's probably only a part of macports' users.

My wishlist

  • port selfupdate and sync would notify user that there are some security/reliability update pending, eventually listing them
  • have a /security/ webpage which lists updates in this category, possibly w a RSS feed

As a comparison point

  • OpenBSD ports had a webpage but was removed in favor of mailing-list

http://www.openbsd.org/pkg-stable41.html http://www.openbsd.org/cgi-bin/cvsweb/www/pkg-stable41.html

  • FreeBSD and NetBSD seems to rely on a port audit command

http://www.freebsd.org/doc/handbook/security-portaudit.html http://vuxml.freebsd.org/ http://www.netbsd.org/support/security/ http://ftp.netbsd.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities

  • DragonFly as an audit command

http://www.dragonflybsd.org/docs/howtos/HowToDPorts/

  • Fink has a security policy but no package listing or notification it seems

http://fink.thetis.ig42.org/doc/security/sec-policy.en.html

  • find nothing for homebrew

Change History (2)

comment:1 in reply to:  description Changed 11 years ago by ryandesign (Ryan Carsten Schmidt)

Replying to jul_bsd@…:

My wishlist

  • port selfupdate and sync would notify user that there are some security/reliability update pending, eventually listing them

Where and in what format would you propose that we store this information? This also presupposes that the persons updating ports are aware of when an update is a security update and when it is not; this is probably not always the case. A lot of maintainers such as myself probably just use port livecheck to find new versions, and update the port to that version, without much further investigation.

  • have a /security/ webpage which lists updates in this category, possibly w a RSS feed

This presupposes that we have the above information about what updates were security updates.

comment:2 Changed 11 years ago by jul_bsd@…

3 ways

  • have a subset livecheck.security for tool where there is a security webpage probably with hash or hash+regexp

http://www.openssh.com/security.html https://httpd.apache.org/security_report.html http://www.isc.org/downloads/software-support-policy/security-advisory/ https://www.openssl.org/news/ https://drupal.org/security https://www.ruby-lang.org/en/security/ http://www.postgresql.org/support/security/ https://www.python.org/news/security/

  • a port audit command which could check livecheck.security and general security pages like

http://cve.mitre.org/ http://www.cvedetails.com/ http://www.securityfocus.com/vulnerabilities http://vuxml.freebsd.org/freebsd/index.html http://ftp.netbsd.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities

  • a web page, not that much to reference every security update (could if automated way but it already exists on other systems) but at least give a way to check security of your installed port and give very important security announce/RSS as a complement to mailing-list, security contact

Of course, if author of a tool say nothing about a security fix and nothing is known publicly elsewhere, there is no way to tell. Ideally, the test infrastructure would make a livecheck once/day-week-whatever you like and notify maintainer or a defined list an update is pending. If it matches livecheck.security, it could be stressed out

Note: See TracTickets for help on using tickets.