Received: from mx1.tetrasec.net (mx1.tetrasec.net [74.117.189.118])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 2494F781D70
	for <~alpine/users@lists.alpinelinux.org>; Thu, 19 Dec 2019 10:37:46 +0000 (UTC)
Received: from mx1.tetrasec.net (mail.local [127.0.0.1])
	by mx1.tetrasec.net (Postfix) with ESMTP id 48E9D2DE3A23;
	Thu, 19 Dec 2019 10:37:45 +0000 (UTC)
Received: from ncopa-desktop.copa.dup.pw (67.63.200.37.customer.cdi.no [37.200.63.67])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: alpine@tanael.org)
	by mx1.tetrasec.net (Postfix) with ESMTPSA id 7E42E2DE39AF;
	Thu, 19 Dec 2019 10:37:42 +0000 (UTC)
Date: Thu, 19 Dec 2019 11:37:34 +0100
From: Natanael Copa <ncopa@alpinelinux.org>
To: "wojciech.kopras@yahoo.com" <wojciech.kopras@yahoo.com>
Cc: "~alpine/users@lists.alpinelinux.org"
 <~alpine/users@lists.alpinelinux.org>
Subject: Re: How to keep Alpine-based systems secure
Message-ID: <20191219113734.6510f163@ncopa-desktop.copa.dup.pw>
In-Reply-To: <2013507513.1487922.1576682692429@mail.yahoo.com>
References: <2013507513.1487922.1576682692429.ref@mail.yahoo.com>
	<2013507513.1487922.1576682692429@mail.yahoo.com>
X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Wed, 18 Dec 2019 15:24:52 +0000 (UTC)
"wojciech.kopras@yahoo.com" <wojciech.kopras@yahoo.com> wrote:

> Hi, I would like to keep my systems secure. And I wonder how it can be done with Alpine Linux.

> 
> I tried to find something. Is there anything new regarding https://lists.alpinelinux.org/~alpine/users/%3CCAKXJ0%3Di57cR-9ORP2%3DA-_c0nQPR17twKULskqVQL3Lwo_JuPLg%40mail.gmail.com%3E ?
> 
> I tried to ask also others, but I've got no helpful answer. https://serverfault.com/questions/992400/how-to-get-information-about-security-updates-for-alpine-linux 
> 
> What would you suggest? Or what is the procedure that you use?
> 

To keep your machine updated run `apk upgrade -U -a` regularily. Stable
branches should only have bug fixes and security fixes, so in theory
you could run this from a cron job. You can do this with `apk add apk-cron`.

There are tools that will tell you what services needs to be restarted after an update.
See https://github.com/jirutka/apk-autoupdate (this is in testing still)

If you want check what is going to be updated then you can do:

  apk update && apk version

It will tell you what packages that are outdated and needs update.
After that you can run `apk upgrade`.

If you only want follow security issues (with a CVE), then you can
follow isses in our bugtracker:

https://gitlab.alpinelinux.org/alpine/aports/issues?scope=all&utf8=%E2%9C%93&state=closed&label_name[]=T-Security

Note that we keep those confidential til they are solved so you need to
follow the closed ones.

You can also get this as a RSS feed (click at the "subscribe RSS feed"
button left to "Edit issues" and "New issue" buttons).

The url is:
https://gitlab.alpinelinux.org/alpine/aports/issues.atom?label_name%5B%5D=T-Security&scope=all&state=closed&utf8=%E2%9C%93

I hope this helps til we have a proper security announcement channel.

Thanks!

-nc