Difference between revisions of "Talk:Yum-plugin-priorities"

From SME Server
Jump to navigationJump to search
m (Added a remark on detecting 3rd party packages)
Line 10: Line 10:
 
* a plugin, method, or option that blocks the update of packages from 3rd party repos if the new version requires a package that is included with SME / Centos that has not yet been updated.
 
* a plugin, method, or option that blocks the update of packages from 3rd party repos if the new version requires a package that is included with SME / Centos that has not yet been updated.
 
* a way to notify users of the blocked updates so they can decide if the blocked update involves a security issue
 
* a way to notify users of the blocked updates so they can decide if the blocked update involves a security issue
* '''or''' documentation on how to work around this issue, along the lines of "observe the problem, identify the blocking package, update the blocking package independantly using the "--noplugins" option, then finish your update
+
* '''or''' documentation on how to work around this issue, along the lines of "observe the problem, identify the blocking package, update the blocking package independently using the "--noplugins" option, then finish your update
 +
 
 +
:sn
 +
:yes this is a big problem
 +
:want to search or ask at the yum mailinglist, this should be a known problem
  
 
===Side note on security===
 
===Side note on security===
Line 16: Line 20:
  
 
Is there any easy way to scan a SME server, identify any installed packages that are not considered secure by the SME developers, then modify /etc/motd and add a note to server-manager stating that "unevaluated packages are installed"?
 
Is there any easy way to scan a SME server, identify any installed packages that are not considered secure by the SME developers, then modify /etc/motd and add a note to server-manager stating that "unevaluated packages are installed"?
 +
 
:Perhaps you can use the following audittool in your detection logic as it should report all contribs from 3d party repositories:
 
:Perhaps you can use the following audittool in your detection logic as it should report all contribs from 3d party repositories:
  
Line 28: Line 33:
  
 
only difference is there will be a different fragment to modify /etc/yum.conf/something
 
only difference is there will be a different fragment to modify /etc/yum.conf/something
 
----
 
 
perl-DBIx-DBSchema is not installed by default, I don't have either of the below rpms installed
 
 
I tried to install with priority=10 and couldn't, same error as you
 
 
with priority=99 it would install
 
yum install --enablerepo=dag perl-DBIx-DBSchema
 
 
=============================================================================
 
  Package                Arch      Version          Repository        Size
 
=============================================================================
 
Installing:
 
  perl-DBIx-DBSchema      noarch    0.36-1.el4.rf    dag                70 k
 
Installing for dependencies:
 
  perl-DBD-Pg            i386      2.11.1-1.el4.rf  dag              286 k
 

Revision as of 01:54, 23 November 2008

Mmccarn 15:31, 22 November 2008 (UTC)

perl-DBIx-DBSchema

Yes - I finally figured out that perl-DBIx-DBSchema was installed when I tried to install 'Resource Tracker' - they have their own repository....

Clearly, we could choose to ignore this issue -- but just as clearly if we configure yum-plugin-priorities it will become possible to install 3rd party apps that later break yum.

In this case, perl-DBIx-DBSchema, which is not included with SME requires perl-DBIx-SearchBuilder which is included with SME - so the low priority repo locates and wants to update perl-DBIx-DBSchema, but the priorities plugin then prevents the install of the correct perl-DBIx-SearchBuilder.

We need

  • a plugin, method, or option that blocks the update of packages from 3rd party repos if the new version requires a package that is included with SME / Centos that has not yet been updated.
  • a way to notify users of the blocked updates so they can decide if the blocked update involves a security issue
  • or documentation on how to work around this issue, along the lines of "observe the problem, identify the blocking package, update the blocking package independently using the "--noplugins" option, then finish your update
sn
yes this is a big problem
want to search or ask at the yum mailinglist, this should be a known problem

Side note on security

A major reason that I use SME server is that I feel the developers are highly security conscious, and that if I keep a SME server relatively virgin it will remain secure. I don't have the knowledge, time or experience to evaluate every package available in Linux for its security exposure level.

Is there any easy way to scan a SME server, identify any installed packages that are not considered secure by the SME developers, then modify /etc/motd and add a note to server-manager stating that "unevaluated packages are installed"?

Perhaps you can use the following audittool in your detection logic as it should report all contribs from 3d party repositories:
/sbin/e-smith/audittools/newrps
— Cactus (talk | contribs 15:43, 22 November 2008 (UTC)

Installation

My "script" for modifying /etc/yum.conf is just my notes on how to make these changes easily and temporarily; I hadn't gotten around to making a custom template fragment yet...

Snoble 09:37, 22 November 2008 (UTC)

You should be able to use my script on 7.3 to populate the db

only difference is there will be a different fragment to modify /etc/yum.conf/something

Retrieved from "https://wiki.koozali.org/index.php?title=Talk:Yum-plugin-priorities&oldid=11608"