From nobody Thu Mar 28 22:25:19 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Received: from smtp.mauras.ch (smtp.mauras.ch [163.172.199.81]) by lists.alpinelinux.org (Postfix) with ESMTP id 2FEA25C4386 for ; Thu, 3 Nov 2016 09:45:30 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mauras.ch; s=20160502; h=Message-ID:Subject:To:From:Date:Content-Transfer-Encoding: Content-Type:MIME-Version:Sender:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=atsuB2pWpkm051JUiMZK7HBCwMjWmmro9vq/4Sfer8I=; b=d2TLTVHMACOBb+SjWLW/UtZyR4 RF4bBeEX5vlk1zKBYzp4RfnQpkbcjHcaUG9IoxZ7efYC6Gryjo1SsHisobo0JL7xb94U8MzbPGkpu 2t8DUFv52Pd1UwIQAXQ2+iGpJ4zTSHxnujS7uAmX5RwD916Dpu5m6PxwnaBpUxQy4IH0=; Received: from www.mauras.ch ([195.154.39.207] helo=mail.mauras.ch) by smtp.mauras.ch with esmtpsa (TLSv1.2:DHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from ) id 1c2EaP-0004zs-7B for alpine-devel@lists.alpinelinux.org; Thu, 03 Nov 2016 10:45:29 +0100 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Thu, 03 Nov 2016 10:45:27 +0100 From: Olivier Mauras To: alpine-devel@lists.alpinelinux.org Subject: [alpine-devel] [APK] Feature request - Changelog of updates Message-ID: X-Sender: olivier@mauras.ch User-Agent: Roundcube Webmail/1.2.0 X-Authenticated-Sender: olivier@mauras.ch Hello, I already discussed this point with some of the team on IRC and the conclusion has been to take it up the list. Every major distribution includes a "changelog" option in their package manager. This makes things very easy to list all the CVEs affecting your network. For example "yum --changelog update" outputs something like that for each package: ChangeLog for: libxml2-2.9.1-6.el7_2.3.x86_64 * Mon Jun 6 14:00:00 2016 Daniel Veillard - libxml2-2.9.1-6.3 - Heap-based buffer overread in xmlNextChar (CVE-2016-1762) - Bug 763071: Heap-buffer-overflow in xmlStrncat (CVE-2016-1834) - Bug 757711: Heap-buffer-overflow in xmlFAParsePosCharGroup (CVE-2016-1840) - Bug 758588: Heap-based buffer overread in xmlParserPrintFileContextInternal (CVE-2016-1838) - Bug 758605: Heap-based buffer overread in xmlDictAddString (CVE-2016-1839) - Bug 759398: Heap use-after-free in xmlDictComputeFastKey (CVE-2016-1836) - Fix inappropriate fetch of entities content (CVE-2016-4449) - Heap use-after-free in htmlParsePubidLiteral and htmlParseSystemiteral (CVE-2016-1837) - Heap use-after-free in xmlSAX2AttributeNs (CVE-2016-1835) - Heap-based buffer-underreads due to xmlParseName (CVE-2016-4447) - Heap-based buffer overread in htmlCurrentChar (CVE-2016-1833) - Add missing increments of recursion depth counter to XML parser. (CVE-2016-3705) - Avoid building recursive entities (CVE-2016-3627) - Fix some format string warnings with possible format string vulnerability (CVE-2016-4448) - More format string warnings with possible format string vulnerability (CVE-2016-4448) As you can see, it's then fairly easy to parse the output to get a list of the CVEs. I'd love to see an "apk upgrade -s --changelog" option that would mimic this behaviour. Ideally only the changelog between installed version and available update should be displayed The questions are: - How to do it? - How to get the needed informations? Cheers, -O. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org --- From nobody Thu Mar 28 22:25:19 2024 X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-lf0-f44.google.com (mail-lf0-f44.google.com [209.85.215.44]) by lists.alpinelinux.org (Postfix) with ESMTP id 9B3F65C438F for ; Thu, 3 Nov 2016 15:53:36 +0000 (GMT) Received: by mail-lf0-f44.google.com with SMTP id b81so42576874lfe.1 for ; Thu, 03 Nov 2016 08:53:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=RvNOiUg9hOvdcDEbyP6swPqd7kqF/pAQAQu7FnUTsUs=; b=j2jn/TXS43kfhXUsVDGiqmkxijUCOPX8fWRg9ICh11A1DFc+vpJX5WLmF890porPJD GhII8BvkTw3GiVewiWiqhmLsg6mfXsgsX+Tqmjd4jlc8NQC+jl4uYrDezFEfUoPLcOmb YWGYUz1996iYKre0uNLRB/VglsrthXz0m5AWZt5vPArsbMQ8BKlU4tkGQ2HFqaDGBEnV LP2gE4KPHRYqX3EGSyqfGjKoVCmDdkPshPhAgFAYKiDoVR8sq0ikRAYfizlBKXt7WM4I ynRmDgWDEc3w5o08uCwoS65V+CeK/NcG8uBrRT8haDgC4/jqT3kmOtLBXbMDxldwR97+ gBVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:date:from:to:cc:subject:message-id :in-reply-to:references:mime-version:content-transfer-encoding; bh=RvNOiUg9hOvdcDEbyP6swPqd7kqF/pAQAQu7FnUTsUs=; b=kw+npvZgfhBwHGPFGoZoPy3bL/Kd521Y1xhr2pMTUxMpkV+VPKYndJHwG5qvaydmdB nNE93EUadaYsSVthGzAIFkp6PCL4VCCY/E4aRTrq4SsWIoS7By4hmt81uMRHVARI2Od8 9TWQDBf/yammAVLLCk8xfYuwk6ngxyj2Awvz3K4660DC8ItfqMJ2to8RTUB72tUOPlHJ PU60ztRA8n7vAanfvo7bOwCoSERHkK5TG8NIcF5YBVoVdbDlgGBgWzAtsbIQwUNL5uRw 9xIJdErew5sotrXFkSvpKn2KKMwtKEnTJG/p6jxn2CLpn8LxaKLzd1U5jxL3NUq5DEMA /Prg== X-Gm-Message-State: ABUngvc0DefxJTzC3EXvB1jeEnfK8MSwQHhMIroX1qgBPEUCWg5OcwljAGCjF1ri4YHzhg== X-Received: by 10.25.44.66 with SMTP id s63mr3271011lfs.69.1478184103096; Thu, 03 Nov 2016 07:41:43 -0700 (PDT) Received: from vostro.util.wtbts.net ([2001:1bc8:101:f402:e66f:13ff:fef3:8cd0]) by smtp.gmail.com with ESMTPSA id l135sm1457713lfg.30.2016.11.03.07.41.42 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 03 Nov 2016 07:41:42 -0700 (PDT) Sender: =?UTF-8?Q?Timo_Ter=C3=A4s?= Date: Thu, 3 Nov 2016 16:41:41 +0200 From: Timo Teras To: Olivier Mauras Cc: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] [APK] Feature request - Changelog of updates Message-ID: <20161103164141.5f0299cf@vostro.util.wtbts.net> In-Reply-To: References: X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.28; x86_64-alpine-linux-musl) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Hi, On Thu, 03 Nov 2016 10:45:27 +0100 Olivier Mauras wrote: > I already discussed this point with some of the team on IRC and the > conclusion has been to take it up the list. > > Every major distribution includes a "changelog" option in their > package manager. This makes things very easy to list all the CVEs > affecting your network. > [snip] > > As you can see, it's then fairly easy to parse the output to get a > list of the CVEs. I think ncopa was working on a CVE feed / database. The idea is to provide a tool that tells which CVEs are affecting you and are fixed in newer versions. Maybe he can elaborate that. Would this be sufficient for you? > I'd love to see an "apk upgrade -s --changelog" option that would > mimic this behaviour. Ideally only the changelog between installed > version and available update should be displayed > > The questions are: > - How to do it? I'm planning to work on new apk-tools. I can add this to design requirements on the apk side. > - How to get the needed informations? The CVE data should be generatable already. Full changelog is not kept, but could probably be parsed from the git. But I think this is two features: changelog and CVE. The CVE output could be machine parseable, whereas the changelogs are more for human eyes. This also raises question, how to store the information if we want full listing between versions. Should we keep some of it in a database for removed versions? Should each package contain cumulative listing? I don't really like bloating the packages with cumulative data - or even the package index. So this should probably go in a separate db. Another dark area is when switching stable branches. How to calculate change log then, because the git history is not linear. I wonder if other developers have other questions/ideas. /Timo --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---