# glsa-check

## freke

Is running glsa-check 'worth it' on an updated system?

I can't recal seeing glsa-check ever wanting to update any packages on my system.

Ie. my normal update procedure is:

```
emerge -uvaDUt --with-bdeps=y @world

emerge -vac

revdep-rebuild

glsa-check -f $(glsa-check -t all)

revdep-rebuild

eclean -d distfiles

cfg-update -vu
```

The 2nd revdep-rebuild is there if glsa-check actually does anything - but as said, never seen it report any GLSAs for me.

----------

## Telemin

How long is a piece of string?  It all depends on your needs.  I have servers that I look after.  They all email me a daily "health report" which include the usual load stats,  fail2ban stats, and any warning output from glsa-check, smartd, my log checker, backup scripts etc.  I do from time to time get glsa notifications, so for me it is worth it. 

Do I ever run it on my desktop or laptop? no, there it isn't worth it. 

I'm afraid You have to decide for yourself what your level of risk is and the appropriate level of action to take against it.

-Telemin-

----------

## mvaterlaus

I agree with Telemin.

I also do run it on all my servers, since I don't want to update the whole servers every week. I do a full update all 3-6 months, exept for security updates. If you only want to do security updates, run

```
 emerge -av @security
```

Of course, you have to update your portage tree first to get new GLSA's. I don't know any other way to receive them.

Also, there is a check for Nagios / Icinga, so you can monitor your servers or VM's.

```
net-analyzer/nagios-check_glsa2
```

I do not run it on my desktops.

Cheers

madmat

----------

## charles17

 *mvaterlaus wrote:*   

>  If you only want to do security updates, run
> 
> ```
>  emerge -av @security
> ```
> ...

 

What is @security?  I've never seen it before. Which package provides it?

----------

## Syl20

AFAIK glsa-check alerts on packages that have security holes and aren't updated. If you did update your whole system before running it, it should never say anything. So I think you could remove this check in your procedure.

You could also replace revdep-rebuild by emerge @preserved-rebuild.

----------

## mvaterlaus

@security is a set of packages, like @world, which contains all packages with security fixes. I've read about it in the forums some time ago, but can't find it in any man page.

----------

## charles17

 *Syl20 wrote:*   

> AFAIK glsa-check alerts on packages that have security holes and aren't updated. 

 

One example:

 https://www.mozilla.org/en-US/firefox/45.8.0/releasenotes/ reports about security fixes

 https://bugs.gentoo.org/show_bug.cgi?id=CVE-2017-5398 Reported: 	2017-03-08 00:06 UTC

 firefox-45.8.0.ebuild gets available in pgo, 2017-03-08 20:16:25 -0500

 https://security.gentoo.org/glsa/201705-06 Release Date May 09, 2017There are two months between.package availability and glsa.

Isn't there a tool evaluating these bugs for affected package versions and comparing them with entries in /var/db/pkg/?

----------

