| View previous topic :: View next topic |
| Author |
Message |
richk449
Guru
Joined: 24 Oct 2003
Posts: 345
|
 Posted: Fri Feb 04, 2005 7:29 pm Post subject: |
 |
|
| BlackEdder wrote: | | richk449 wrote: | | I think this is a great idea. I wouldn't use it, but I would love to set up a linux computer for my parents using it. As of right now, there is no distro that I know of that I can install and trust enough that I could remotely update it without risk of breaking anything. |
I think I would install ubuntu for them  (at least until GLEP 19 is implemented) |
Will I have to reinstall every six months when a new Ubuntu is released? (Note that this is the fundamental problem with the "standard" distros like RedHat and Suse)? Or is it like gentoo, where I can keep it up to date forever? |
|
| Back to top |
|
 |
BlackEdder
Advocate
Joined: 26 Apr 2004
Posts: 2588
Location: Dutch enclave in Egham, UK
|
| Posted: Fri Feb 04, 2005 7:34 pm Post subject: |
|
|
I think you can just upgrade it to the next release, as far as I know it;s the same as with debian and you don't have to reinstall that to keep it up2date...
Not sure though Their website will probably help you out |
|
| Back to top |
|
|
Flammie
Retired Dev
Joined: 02 Jun 2003
Posts: 633
Location: Dublin, Ireland
|
| Posted: Fri Feb 04, 2005 7:47 pm Post subject: |
|
|
| richk449 wrote: | | How do you stay up to date on secuirty fixes without (a) emerging world or (b) using some glsa-something scheme, which requires micromanaging things? |
You only emerge the packages having security fixes? I mean, for any environment where security and stability is such a great concern, doing blind emerge worlds or trusting security updates in hands of one automated script -- even if it was stable and working -- is not the way to do your job. Well, actually doing blind emerge worlds for any other than testing-bleeding-edge-systems is quite careless. |
|
| Back to top |
|
|
richk449
Guru
Joined: 24 Oct 2003
Posts: 345
|
| Posted: Fri Feb 04, 2005 8:03 pm Post subject: |
|
|
| Flammie wrote: | | richk449 wrote: | | How do you stay up to date on secuirty fixes without (a) emerging world or (b) using some glsa-something scheme, which requires micromanaging things? |
You only emerge the packages having security fixes? I mean, for any environment where security and stability is such a great concern, doing blind emerge worlds or trusting security updates in hands of one automated script -- even if it was stable and working -- is not the way to do your job. Well, actually doing blind emerge worlds for any other than testing-bleeding-edge-systems is quite careless. |
Fine. So if you want a secure computer, you have to micromanage it.
As I noted above, I don't mind keeping my computers up to date and secure. What I want is a way to keep my parents computers up to date and secure, without having to micromanage all of the updating issues.
For the record, I want to make clear that I am not complaining. I am very lucky to have a wonderful distro like gentoo. I am simply pointing out that I would consider the suggestion made by the original poster (and apparently GLEP19) very useful. Apparently, showing interest demonstrates that I am "careless" and "not doing my job". |
|
| Back to top |
|
|
Loke
Apprentice
Joined: 25 May 2002
Posts: 274
Location: Norway
|
| Posted: Fri Feb 04, 2005 8:29 pm Post subject: |
|
|
| richk449 wrote: | | Apparently, showing interest demonstrates that I am "careless" and "not doing my job". |
Not at all - you have just encountered a Gentoo-ricer who fail to see why GLEP19 is a very good idea 
_________________
I'm not saying there should be capital punishment for stupidity, I'm saying why don't we take the warning labels off of everything, and let the problem take care of itself? |
|
| Back to top |
|
|
truekaiser
l33t
Joined: 05 Mar 2004
Posts: 801
|
| Posted: Fri Feb 04, 2005 10:25 pm Post subject: |
|
|
| Flammie wrote: | Umm, I might be missing something, but why do you all install kernel sources if you don't need them? It's not a requirement to do emerge world every day.
Other than that, I think what this suggestion is about is pretty much the same as the stable gentoo tree glep 19, which gets discussed every once in a month. |
i don't have to install it but it will complain if i do not at least have the sources in /usr/src/ each kernel is about 250~ megs. i do not want to waste that 250 or so megs just because Ry went stable on ppc but is the same as Rx for x86. which is what the current system is. when it's marked stable on any arch it's basicly bumped up a R number. |
|
| Back to top |
|
|
Flammie
Retired Dev
Joined: 02 Jun 2003
Posts: 633
Location: Dublin, Ireland
|
| Posted: Sat Feb 05, 2005 12:15 am Post subject: |
|
|
| richk449 wrote: | | Fine. So if you want a secure computer, you have to micromanage it. |
That is and always will be the case, unless you are really going to trust that automated tool would be enough to do such a job. But I don't understand really what is this whining about "micromanaging" about, regardless of O/S, distro, anything, you will always have to know what is inside to have it completely secure and stable. Of course some dream of self-healing self-understanding computers is a nice ideal, but let's save them for bedtime-stories, shall we.
| Quote: | | Apparently, showing interest demonstrates that I am "careless" and "not doing my job". |
No, I can see the justification for corporations and large-scale networks (such as universities) to have need for well-established, scheduled logic, but for a single user to whine about having 200 megs of kernels on hd because of his or hers own stupidity is plain annoying. |
|
| Back to top |
|
|
Lokheed
Veteran
Joined: 12 Jul 2004
Posts: 1295
Location: /usr/src/linux
|
| Posted: Sat Feb 05, 2005 12:16 am Post subject: |
|
|
| Loke wrote: | | especially knowing what config file you can always overwrite and which ones will b0rk your system if you do. |
A good rule of thumb is: if you have made changes to it yourself, you might be warry of any updates, if you havent modified the file, you can update with confidence. |
|
| Back to top |
|
|
Flammie
Retired Dev
Joined: 02 Jun 2003
Posts: 633
Location: Dublin, Ireland
|
| Posted: Sat Feb 05, 2005 12:18 am Post subject: |
|
|
Woo! You learned a new buzzword. Now please go back to your kindergarten or wherever you came from, to learn some basic manners and netiquette before going around insulting random people in the fora without any logical argumentation whatsoever. |
|
| Back to top |
|
|
Earthwings
Bodhisattva
Joined: 14 Apr 2003
Posts: 7753
Location: Germany
|
| Posted: Sat Feb 05, 2005 12:23 am Post subject: |
|
|
| Calm down people, please. |
|
| Back to top |
|
|
truekaiser
l33t
Joined: 05 Mar 2004
Posts: 801
|
| Posted: Sat Feb 05, 2005 3:27 am Post subject: |
|
|
| Quote: | | No, I can see the justification for corporations and large-scale networks (such as universities) to have need for well-established, scheduled logic, but for a single user to whine about having 200 megs of kernels on hd because of his or hers own stupidity is plain annoying. |
1. i am not stupid.
2. if you actualy read the changelog for the gentoo-dev-sources you will see many instances of what i described.
3. even if it is a differnt kernel i do not install it unless i need to, why should i have to spend the time to install it if for my machine if it is no differnt from the last version?
oh by the way it is 254mb per kernel source. thats alot of wasted space. |
|
| Back to top |
|
|
Headrush
Watchman
Joined: 06 Nov 2003
Posts: 5597
Location: Bizarro World
|
| Posted: Sat Feb 05, 2005 4:13 am Post subject: |
|
|
I don't know how much work it would be to implement, but why not just adapt portage.
Have a flag in /etc/make.conf that designates that you are using the "STABLE" release schedule.
When emerge sync is performed, if the flag is set, download and replace package.keywords, package.unmask, etc and place them in the correct locations.
When you perform emerge -u world you only get the packages designated by whoever administers this feature.
All someone has to do is maintain those file lists.
Ideas?
I am happy with the current method, but I understand your position for mom and pop |
|
| Back to top |
|
|
truekaiser
l33t
Joined: 05 Mar 2004
Posts: 801
|
| Posted: Sat Feb 05, 2005 5:00 am Post subject: |
|
|
| Headrush wrote: | I don't know how much work it would be to implement, but why not just adapt portage.
Have a flag in /etc/make.conf that designates that you are using the "STABLE" release schedule.
When emerge sync is performed, if the flag is set, download and replace package.keywords, package.unmask, etc and place them in the correct locations.
When you perform emerge -u world you only get the packages designated by whoever administers this feature.
All someone has to do is maintain those file lists.
Ideas?
I am happy with the current method, but I understand your position for mom and pop |
thats what i had to do is use the sledge hammer solution of useing both package.mask and package.unmask
and i use
and i am runing stable branch of x86 |
|
| Back to top |
|
|
Flammie
Retired Dev
Joined: 02 Jun 2003
Posts: 633
Location: Dublin, Ireland
|
| Posted: Sat Feb 05, 2005 5:05 am Post subject: |
|
|
| Earthwings wrote: | | Calm down people, please. |
Ack. I usually lock my computer down for friday nights but this one just got reinstalled and lacked the locking mechanism. But the output seems to be sane even though the input was confused on the way.  |
|
| Back to top |
|
|
Flammie
Retired Dev
Joined: 02 Jun 2003
Posts: 633
Location: Dublin, Ireland
|
| Posted: Sat Feb 05, 2005 5:16 am Post subject: |
|
|
| truekaiser wrote: | | 1. i am not stupid. |
Nah, lazy might be more proper.
| Quote: | | 2. if you actualy read the changelog for the gentoo-dev-sources you will see many instances of what i described. |
Lots of instances for bumping revision for 3 security related patches? Wow, the portage devs seem to be so thoughtless.
If you actually read the changelogs, which you should always do anyways for stable system with such vital packages, you can easily leave the new version uninstalled, after you see that it contains nothing new.
Of course if you don't like the way kernels work with gentoo, you should install them manually like many do. But I shouldn't think kernel to be the main issue with stable system anyhow.
| Quote: | | 3. even if it is a differnt kernel i do not install it unless i need to, why should i have to spend the time to install it if for my machine if it is no differnt from the last version? |
If you know you shouldn't, then why did you go on doing it anyway? I still fail to see the need to install or even update unneeded stuff, is it the output of emerge uDpv world that forces you installing every [N] and [U] in the town? Of course it is almost tempting as it is quite easy task now. |
|
| Back to top |
|
|
Headrush
Watchman
Joined: 06 Nov 2003
Posts: 5597
Location: Bizarro World
|
| Posted: Sat Feb 05, 2005 5:34 am Post subject: |
|
|
| truekaiser wrote: |
thats what i had to do is use the sledge hammer solution of useing both package.mask and package.unmask
and i use
and i am runing stable branch of x86 |
So basically someone else is doing the dirty details of maintaining these files for those looking to use this type of release system, right?
Would this work with minimal effort? and both groups would be happy? |
|
| Back to top |
|
|
truekaiser
l33t
Joined: 05 Mar 2004
Posts: 801
|
| Posted: Sat Feb 05, 2005 6:18 am Post subject: |
|
|
| Flammie wrote: | | truekaiser wrote: | | 1. i am not stupid. |
Nah, lazy might be more proper.
| Quote: | | 2. if you actualy read the changelog for the gentoo-dev-sources you will see many instances of what i described. |
Lots of instances for bumping revision for 3 security related patches? Wow, the portage devs seem to be so thoughtless.
If you actually read the changelogs, which you should always do anyways for stable system with such vital packages, you can easily leave the new version uninstalled, after you see that it contains nothing new.
Of course if you don't like the way kernels work with gentoo, you should install them manually like many do. But I shouldn't think kernel to be the main issue with stable system anyhow.
| Quote: | | 3. even if it is a differnt kernel i do not install it unless i need to, why should i have to spend the time to install it if for my machine if it is no differnt from the last version? |
If you know you shouldn't, then why did you go on doing it anyway? I still fail to see the need to install or even update unneeded stuff, is it the output of emerge uDpv world that forces you installing every [N] and [U] in the town? Of course it is almost tempting as it is quite easy task now. |
would you please stop calling me names. i haven't called you any. as for security fixs lets take the changes between r5(which i have no idea why it was removed) and r6.
| Code: | 19 Jan 2005; Daniel Drake <dsd@gentoo.org>
+gentoo-dev-sources-2.6.10-r6.ebuild:
Add SCSI/RAID corruption fix, NFS super-io security fix, NFSACL sunrpc
security fix.
|
lets see scsi/raid, nfs, nfsacl how does this apply to a p4 laptop? |
|
| Back to top |
|
|
Flammie
Retired Dev
Joined: 02 Jun 2003
Posts: 633
Location: Dublin, Ireland
|
| Posted: Sat Feb 05, 2005 12:48 pm Post subject: |
|
|
| truekaiser wrote: | | would you please stop calling me names. i haven't called you any. |
Don't take it personally boy, I only make my judgements against what you have said in this thread and not against you as a persona. If you don't see the justification of the claims I'll be pleased to explain, or I'd be even more pleased to see you giving a reason that would nullify my argument, ie. you'd really really really need to give a proper reason why can't you just skip downloading a new kernel that you obviously don't need.
| Quote: |
| Code: | 19 Jan 2005; Daniel Drake <dsd@gentoo.org>
+gentoo-dev-sources-2.6.10-r6.ebuild:
Add SCSI/RAID corruption fix, NFS super-io security fix, NFSACL sunrpc
security fix.
|
|
I see there, 2 security fixes and 1 hard drive data corruption fix. Do you still fail to understand why the security holed kernel that potentially wrecks a lot of people's hard drives was removed from the tree? I mean seriously, would you keep software on public portage tree that is known to destroy hard drives and cause security problems?
| Quote: | | lets see scsi/raid, nfs, nfsacl how does this apply to a p4 laptop? |
So... what you want is a portage logic that scans users hardware to see if update is needed. Ok, don't hold your breath for waiting the patch, meanwhile I suggest using WindowsUpdate, which actually has some of these functionalities. |
|
| Back to top |
|
|
BlackEdder
Advocate
Joined: 26 Apr 2004
Posts: 2588
Location: Dutch enclave in Egham, UK
|
| Posted: Sat Feb 05, 2005 1:33 pm Post subject: |
|
|
| Flammie wrote: | | Quote: | | lets see scsi/raid, nfs, nfsacl how does this apply to a p4 laptop? |
So... what you want is a portage logic that scans users hardware to see if update is needed. Ok, don't hold your breath for waiting the patch, meanwhile I suggest using WindowsUpdate, which actually has some of these functionalities. |
No what he wants is a freeze for several months, but which let's him update if he has been suffering from the scsi/raid problem. Is it so hard to understand...
The logic is kinda opposite to what happens in the normal portage tree.. In the normal portage tree updates happen for everything. From bugfixes to new features. If you don't want to update something, because it's working fine for you you will have to add it to package.mask etc.
If you are more interested in just getting security fixes (because everything else works fine for you) it's must easier to have a tree that only get's updates when there are important security fixes. |
|
| Back to top |
|
|
Flammie
Retired Dev
Joined: 02 Jun 2003
Posts: 633
Location: Dublin, Ireland
|
| Posted: Sat Feb 05, 2005 2:16 pm Post subject: |
|
|
| BlackEdder wrote: | | No what he wants is a freeze for several months, but which let's him update if he has been suffering from the scsi/raid problem. Is it so hard to understand... |
I don't understand what is the difficulty of doing that with current system. I think that's something what I have been doing ever since I installed Gentoo 1.4-rcX, updating only the packages where I've needed.
| Quote: | | The logic is kinda opposite to what happens in the normal portage tree.. In the normal portage tree updates happen for everything. From bugfixes to new features. If you don't want to update something, because it's working fine for you you will have to add it to package.mask etc. |
No, if you don't want to update something then you don't emerge it. Why is that a hard concept... "Ooh, there's a new version of Gnome available but I don't need it because it contains nothing useful... emerge gnome! emerge gnome! Oh no, now it's updating! Those bastards!!!12.
| Quote: | | If you are more interested in just getting security fixes (because everything else works fine for you) it's must easier to have a tree that only get's updates when there are important security fixes. |
Well, wouldn't this kind of tree still had contained our notorious | Code: | gentoo-dev-sources-2.6.10-r6.ebuild:
Add SCSI/RAID corruption fix, NFS super-io security fix, NFSACL sunrpc
security fix. |
which is the reason I fail to see what is being wanted.
Admittedly having "emerge --sync --only-security-related-updates " would be a nice for my server bugs (if it didn't share the local portage tree for my whole local network, but that's another thing. So I guess this is what you are after for, no? |
|
| Back to top |
|
|
richk449
Guru
Joined: 24 Oct 2003
Posts: 345
|
| Posted: Sat Feb 05, 2005 2:32 pm Post subject: |
|
|
| Flammie wrote: | | ...for any environment where security and stability is such a great concern, doing blind emerge worlds or trusting security updates in hands of one automated script -- even if it was stable and working -- is not the way to do your job. Well, actually doing blind emerge worlds for any other than testing-bleeding-edge-systems is quite careless. |
| Flammie wrote: | | [about having to micromanage your computer] That is and always will be the case, unless you are really going to trust that automated tool would be enough to do such a job. But I don't understand really what is this whining about "micromanaging" about, regardless of O/S, distro, anything, you will always have to know what is inside to have it completely secure and stable |
| Flammie wrote: | | I don't understand what is the difficulty of doing that with current system. I think that's something what I have been doing ever since I installed Gentoo 1.4-rcX, updating only the packages where I've needed. |
| Flammie wrote: | | No, if you don't want to update something then you don't emerge it. Why is that a hard concept... "Ooh, there's a new version of Gnome available but I don't need it because it contains nothing useful... emerge gnome! emerge gnome! Oh no, now it's updating! Those bastards!!!12. |
and then, finally, this:
| Flammie wrote: | | Admittedly having "emerge --sync --only-security-related-updates " would be a nice for my server bugs (if it didn't share the local portage tree for my whole local network, but that's another thing. So I guess this is what you are after for, no? |
Yes. That is basically what we are after. |
|
| Back to top |
|
|
Flammie
Retired Dev
Joined: 02 Jun 2003
Posts: 633
Location: Dublin, Ireland
|
| Posted: Sat Feb 05, 2005 3:00 pm Post subject: |
|
|
| richk449 wrote: | and then, finally, this:
| Flammie wrote: | | Admittedly having "emerge --sync --only-security-related-updates " would be a nice for my server bugs (if it didn't share the local portage tree for my whole local network, but that's another thing. So I guess this is what you are after for, no? |
Yes. That is basically what we are after. |
That's what I thought. But you have to realize that it will only remove part of the problem that's been stamped as "micromanagement" here. Especially it will not remove the need for you to check what each individual update does if you are so afraid of wasting space and cpu cycles for updates you specifically won't need. It won't help a bit with having lot of kernels in the hd, if you do the emerge world constantly without looking what will be updated. |
|
| Back to top |
|
|
BlackEdder
Advocate
Joined: 26 Apr 2004
Posts: 2588
Location: Dutch enclave in Egham, UK
|
| Posted: Sat Feb 05, 2005 3:47 pm Post subject: |
|
|
WHat I see as we are after is something like the debian system. Their stable branch evolves very slowly, but important bigfixes/security related fixes are all backported. I've managed a couple of debian servers and the amount of micromanagement required is very very limited. Now ofcourse you can say then go debian, but I know a couple of ppl who are torn between debian and gentoo, gentoo offers them the freedom they crave, but debian makes sure that if you can't be bothered to micromanage today you can still bring the system up2date. These ppl would surely stick to gentoo if a frozen branch was introduced.
Conclusion: I am all for glep 19 and would immediately implement it on the servers I have. |
|
| Back to top |
|
|
acasto
Apprentice
Joined: 06 Feb 2004
Posts: 236
Location: Durka-Durka-Stan
|
| Posted: Sat Feb 05, 2005 10:23 pm Post subject: |
|
|
This is the first I have heard of this glep19 and it sounds great. I love the current portage the way it is now from things like my personal workstation and laptop. But for my servers at work, it seems I'm always having to devote large chunks of time to reading reports and changelogs, many of which dosn't apply to my system. Even though you should reading the changelogs, it can take quite a bit of time to sort down to the ones you absolutely need to read.
As for the ones saying the current way is fine, it is, but requires a level of personal devotion to which many can not apply in a corporate environment. You get to know and treat your own system like a child, and like a child you know every single "update" (ie: vacination, feeding, changing, etc...) and modification you made to it (well, maybe not modify the child). However in a coporate environment you face two problems from this. One, any more than a few systems and it's easy to forget and lose-your place among the many customizations you must make to maintain the system. And two, where we understand the importance of spending time micro-managing portage updates, the executives may not. We must remember that in the corporate world, time equals money. And an executive, who is used to windows updates, will probably not be able to understand and/or justify devoting so much time to such a task.
To those who think this is just laziness, I and others here say this because many of us have to put up with it. My servers run an emerge -uDvp world nightly and email the results. It only takes a week for those results to get to be a pretty big list, but once running a glsa-check, only maybe one or two apply. So then I have to take the results of the glsa-check and run it back through emerge (becuase I don't trust the 'experimental' software yet to make changes) to see exactly what I would need to change. Then I can run these through etcat -c to see the changes. But then dosen't etcat -c only show changes from the latest version to the one right behind? So if you have more than a version over in a update, you would have to pull the version numbers of every one inbetween and run them.
For now I just write many scripts with awks and greps and such to process all of this for me and just email the reports and changelogs, which works, but isn't ideal.
- Adam
_________________
Leerrroooooyyyyyyyy JENKINS!!!!1111...................
"You know the Nazi's had pieces of flare.. that they made the Jews wear." |
|
| Back to top |
|
|
QV
n00b
Joined: 13 Feb 2004
Posts: 54
|
| Posted: Sun Feb 06, 2005 1:48 am Post subject: |
|
|
| vonhelmet wrote: | Is there a single other distro that does this?
I'm pretty certain the answer is... no. |
Uh...most major distros? Mandrake, Fedora, Ubuntu, Arch Linux, Slackware, Conectiva, and probably a bunch of others have periodic releases based on frozen snapshots of a volatile tree. Debian is the same, but with a much longer delay between releases--in fact, the testing/unstable split is even similar to Gentoo's arch/~arch split. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Gentoo Chat
