OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [suse-security] Suggestion to the SuSE security people
From: Roman Drahtmueller (drahtsuse.de)
Date: Wed Oct 04 2000 - 09:52:18 CDT

Hi!

> Hi there,
> I have a suggestion to you security guys, that could make life a lot
> easier for a lot of us out here, and at the same time really make the
> SuSE security update feature shine, compared to the other linux
> distributions.

Thank you for the contribution. Please allow me to comment on your
suggestions.

>
> I have noticed that since 24/9-00 six updates to SuSE 7.0 has been
> posted on your security site. At this rate it could turn out to be a
> very time consuming job having to update Linux all the time.

It is! Even more problematic is the outlook: We'll have to expect more of
these format string parsing errors in the next few months.

> To make this a much easier task, I suggest that you, on top of the
> usual downloadable update files, make available a gzip file containing
> all the updates relevant to your latest distribution (7.0 at this
> moment).

Well...

$ du -ks update/7.0
170819 7.0
$

I'm not sure that you really want that... It's just not practicable.

> Every time a new update is posted you also post a new gzip file that
> includes all earlier updates AND the new one. This file could be
> called SU1, SU2... SUn. (SU = Security Update).
>
> The gzip file should, besides the .rpm files, include a shell script that could automate all the updates.
> The script could maybe do something like this:
>
> for (first_update to last_update present in the gzip file) do {
> if (module or program that the updated relates to is installed on the target system) {
> do_update = false
> if (this update is older then the one installed)
> do_update = ask_user_if_ok_to_update ()
> else if (module has not been updated) {
> if (running update will overwrite config file(s) that the user/system may have edited) {
> if (do_update = ask_user_if_ok_to_update ())
> make copy (.bak) of config file(s)
> }
> }
> if (do_update)
> run the rmp update
> } else
> do_nothing
> }

A solution like this exists already. One of the replies to your mail
contains a hint to it.

> A procedure like this could really make a difference. Updating could
> now be almost totally automated, and if SuSE would post an e-mail to
> this forum when a new update is released, I'm sure a lot of SuSE
> installations would be updated much more frequently then is the case
> today. I for one would update our systems a lot more frequently.

No question...

>
> Lets also say that you put a subject string like "Announce: SuSE
> security update SU05 is released ...." in the e-mail, and in the
> Message body a link to the newest update file. Users could then make a
> filter in their e-mail client that would redirect all mail coming from
> SuSE containing this subject string, to a high priority mailbox. When
> the user opens the mail, he just clicks on the link and this baby
> would rock'n role.
>
>
> Of cause I could write the script my self, but that would not make the
> downloading easier at all, and here I see a opportunity for SuSE, with
> very little effort, to really make thinks much more "user friendly".

We're working on that, of course. One of the features for the future is
that our packages will be gpg-signed. Without this feature we would never
be able to offer something like an automatic or semi-automatic update
machanism. It just knocks out the concept of security in general...

> Thanks in advance
> Bo Jacobsen bjcimage.dk

Thanks,
Roman. 

-- 
 -                                                                      -
| Roman Drahtmüller      <drahtsuse.de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com