Security updates

[peterstol]

How do we apply security updates to the compatibility layer in between releases and how often?
What is the impact on our design, which would like to keep all versions as fixedas possible to prevent issues higher up the stack?

Gentoo provides glsa-check (https://wiki.gentoo.org/wiki/Security_Handbook/Staying_up-to-date), which works well, but requires a sync of the repo.

emerge --sync
glsa-check -t all
This system is affected by the following GLSAs:
202009-01

Or more verbose..

glsa-check -p $(glsa-check -t all)

Apply security updates glsa-check -f $(glsa-check -t all)

The workflow might be added to our Ansible scripts

[bedroge]

This is what I recently used:

# Sync the overlays
emerge --sync

# Check which GLSA(s) affect our system
glsa-check --list

# Check which version(s) of an affected package we have
qlist -IRv | grep <package name>
# or for a specific package:
qlist -IRv dev-lang/python

# Find the fix for the given GLSA
glsa-check -d <GLSA>

# Fix the affected package(s), e.g.:
emerge --ask --oneshot --verbose "new_version_of_affected_package"

We should document these procedures somewhere.