Hi Andreas
On 04/05/2017 08:31, Henkel, Andreas wrote: > Hi, > > Recently we started using eb for our new cluster. Yesterday, in our group > meeting a question was raised concerning updates and security patches for > installed software similar to apt update/upgrade, yum update,...? > Or is there a routine to check for newer releases of installed easyconfigs? Short answer: No There are no such systems in place, EasyBuild does not have a security team, so there are no systems in place for installing security updates. The main point of EasyBuild is to get user software installed on the system, usable by users, for users. You would not run EasyBuild as root (this was even explicitly very hard to do until as of very recent, now it has a very clear config option informing you you should not use that option, but some people have their own reasons to do things as root) And you would not install software with setuid, and you would not run EasyBuild installed software as root (or more a privileged sudo capable user) but only as a non privileged user. As such from the point of a system administrator the security of your system would not be impacted by software installed by EasyBuild, at least, not any more then any software any user can scp to their home dir and run there. (At least, unless you mount home and scratch as no exec) Since we allow our users to write and compile their own software, EasyBuild was developed to provide centrally installed (and optimized) software as a convenience to our user, it has never been in our scope to have EasyBuild installed software to be the only allowable software to run. Furthermore, EasyBuild doesn't 'update' installed software. An installed software package will always stay installed, newer versions will be installed alongside it, not replace it, this is one of the main reasons to use EasyBuild, so you can easily use different versions of the same package on the same system. And lastly, the easyconfig files provided by EasyBuild should be seen as only 'examples'. People can privately have 1000's of applications that are not known and never published to the EasyBuild, so no central EasyBuild security team could ever notify you of updates for these packages. I do realize there exist a few bad scenarios, e.g. software that opens up sockets to listen to incomming connections such as MariaDB and mongoDB. If these packages have security issues (or are badly configured) your users risk loss of confidentiality on their data or even arbitrary code executing as their user (not root, not a sudo user). Or a software package that has issues and opens up a users files to the world. This would require you to either educate your users not to use the bad software in an unsafe way, or manually remove it and install a patched version and tell them to use that version. If you are a non admin user using EasyBuild to install your own software on a system, you will need to follow up on this as there is currently nobody paid to do this centrally for all EB easyconfigs. There are tools out there (like the fedora packagers tools) that will scan upstream links to automatically inform packagers of new installs. But as far as I know nobody has looked at this yet EasyBuild. Some work was started in to making it easy for you to bump all the dependencies of a given package to the latest version, [0] but this still relies in someone figuring out a new version is available, and adding it to the central (or local) Easyconfigs repository. I hope this clears up a few things for you. Regards, Jens Timmerman > Best, > Andreas Henkel [0] https://github.com/hpcugent/easybuild-framework/pull/2136
