dCore Import Debian Packages to Mountable SCE extensions > dCore X86
dCore-5.0.alpha1 released
SamK:
--- Quote from: roberts on July 01, 2013, 05:03:37 PM ---
--- Quote from: SamK on July 01, 2013, 12:16:15 PM ---
Once an SCE app is imported is it possible to apply a security upgrade (issued by Debian) to an active dCore system, or is a rebuild of the SCE app required to incorporate it?
--- End quote ---
dCore is not Debian. Nor is it traditionally "installed". dCore uses mounted squashfs as tcz and scms did. There is no rebuild, as apps are typically imported. We are only supplying scripts ( the import suite in the base of dCore ) and some server side typically setup/data scripts. You might want to think download script as used for flash.
--- End quote ---
If I understand this correctly...
If a security upgrade for an app is released into Debian Stable (of course not a feaure upgrade) it would require the app to be imported again in order for the upgrade to be included within an SCE.
If the above is correct, in a case where an app was not re-imported might it be stable but one or more of the constituent packages might have unaddressed vulnerabilities. Does it follow that SCEs may need to be regularly re-imported in order to remain both stable and have addressed vulnerabilities?
roberts:
Not sure of your position... But I see it as another advantage.
It is quite simple to import versus asking and waiting for a community member to recompile for relocation on current native Core, unless, perhaps, you are the type that perfers to compile everything.
Also on native Core to implement a security upgrade not only depends on a community member being available, it may also lead to breakage.
This versus the vast community of Debian developers who maintain Debian.
But the choice is yours. We are only offering an additional Core.
If you prefer native Core you have it. It is not going away as witnessed by the on going development of Core 5. If on the other hand you had have issues with rolling release libraries and such, or your favorite package is no longer being maintained in native Core, you may want to consider dCore.
Jason W:
I had thought of security updates, but I think most security fixes for Debian apply to server use and not standard desktop use, especially with how TC is used 99 percent of the time. And as Robert pointed out, there are upsides and downsides to keeping with stable versions versus the latest versions of packages.
But it was simple to code in an option in import that would provide info in the SCE to allow a check for packages that an SCE is comprised of which have been updated upstream in Debian since the SCE was imported. A simple tool then could be ran against an SCE to inform the user which packages have been updated, and then the user can view the Debian changelog of updated packages to determine if there is need for an update based on the users particular situation. I will consider it to be included in alpha4.
SamK:
--- Quote from: roberts on July 03, 2013, 05:45:19 PM ---Not sure of your position...
--- End quote ---
The questions are not intended to be disparaging. They are motivated by a desire to understand the newly introduced SCE format. The ability to use Core (dCore) together with apps drawn from the Debian stable repo is very appealing.
Here, TinyCore and other distros based on Debian stable are widely used. The ability for each of them to draw apps from a common repo is a welcome simplification.
The following comments are made without having tested a dCore system yet.
Security Upgrades
The Debian stable based distros referred to above, download and install any given security upgrade only once. This is done using a single command i.e. apt-get upgrade. Because of their traditional installation model, this is then available system-wide.
From our previous discussion, I am guessing a dCore system might have a repeated re-import process to achieve a simalar result, i.e. once for each SCE.
From the original post announcing the SCE format a mega package can be created.
--- Quote from: Jason W on June 28, 2013, 12:15:02 PM ---...a file list can be made of one's favorite packages and import can be used to make one mega package out of the list. Example, a file named mydesktop that contains xfce4, leafpad, iceweasel, exaile, smplayer, etc, etc , one package per line, will make an sce of those packages that will be named mydesktop.sce.
--- End quote ---
In such a case I'm guessing that only a single re-import is required to incorporate a given security upgrade.
A dCore system might comprise multiple SCEs. In this case I'm guessing that multiple re-imports are required to incorporate a given upgrade. If this guess is correct might it be worth considering an OS level command to enable all SCEs within the system to be upgraded from a single command.?
--- Quote from: Jason W on July 04, 2013, 01:39:55 AM ---...I think most security fixes for Debian apply to server use and not standard desktop use...
--- End quote ---
I'm not sure about this. This post is being made from a general purpose desktop system running Debian 7 stable. It has security upgrades applied regularly.
--- Quote from: Jason W on July 04, 2013, 01:39:55 AM ---A simple tool then could be ran against an SCE to inform the user which packages have been updated, and then the user can view the Debian changelog of updated packages to determine if there is need for an update based on the users particular situation. I will consider it to be included in alpha4.
--- End quote ---
See the suggestion above re automating the upgrade process in a single command for multiple SCEs. While I am in favour of user choice, I also support user friendliness of operation.
Edited to improve clarity.
Jason W:
Samk,
I am sure that there are Debian desktops all over the world that receive security updates regularly. My point is that I am sure most of the updates are not NEEDED for desktop use. A vulnerability in samba is not going to all of a sudden render a standard home desktop useless due to security exploits. Even if that user runs samba to read windows shares every day on their home network. Most dCore desktops will not have services running at all that are open to login from the outside world.
I am not trying to trivialize security exploits, but for the typical desktop user, Linux or otherwise, by far your biggest security risk is related to behavior as in password habits and such. And when it is all said and done, security is simply a feeling of trust and a state of mind, in life as well as Linux.
That being said, I am testing an option in import that will let those who are security minded run a simple tool against their SCEs to list which packages contained in them have had updates since the SCE was imported, making use of the existing import structure. And it would be simple to allow a tool to automatically re-import any SCEs that have had updates. But I almost see it as foolish to re-import anything just because of upstream updates that have occurred when I don't even know if they apply to my situation. I am not focusing much time on this, the option to generate the needed info took less than an hour to make and test. But I knew the question of updates would come up. And an option to re-import everything will not be in it's initial conception, I don't want to promote that as a needed behavior.
What may materialize in the near future is a simple tool that will list each component of an SCE that has been updated in Debian, and then the user can review the below page to see if there is a vulnerability found that may apply to a package that they feel warrants keeping a close eye on updates, for instance if they were running an SSH server of critical importance.
http://www.debian.org/security/2013/
But to be honest I would rather attention be placed on finding bugs in imported packages or the dCore import tools. In this early stage, things may change quick enough that would require re-importing SCEs long before security concerns are justifiable.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version