| 1 |
On Wed, Jul 6, 2016 at 8:19 AM, Kristian Fiskerstrand <k_f@g.o> wrote: |
| 2 |
> On 07/06/2016 02:11 PM, Rich Freeman wrote: |
| 3 |
> |
| 4 |
>> announcement (which is something we lack - we issue GLSAs sometimes |
| 5 |
>> ages after something is fixed on x86/amd64). Granted, that should be |
| 6 |
>> news enough that people are getting the message in other ways unless |
| 7 |
>> it is Gentoo-specific. |
| 8 |
> |
| 9 |
> GLSA is a separate discussion, but amd64 and x86 are not the only stable |
| 10 |
> architectures in Gentoo, and the GLEP isn't sent until stabilized across |
| 11 |
> the supported arches. That.. and a lower than wanted manpower to write |
| 12 |
> up the GLSAs vs scouting, wrangling and auditing work. |
| 13 |
> |
| 14 |
|
| 15 |
I understand that. However, I just sometimes wonder whether that |
| 16 |
approach makes sense. The result of the current system is that we |
| 17 |
don't release GLSAs until well after a bug is fixed, sometimes after |
| 18 |
months. |
| 19 |
|
| 20 |
So, GLSAs don't tell you if you're vulnerable to a known problem (even |
| 21 |
discounting embargo periods). They only tell you if you have been |
| 22 |
slower in updating your system than every stable arch team and the |
| 23 |
GLSA team (and that is ignoring the occasional false positive). To be |
| 24 |
really secure you either need to just accept every update in the tree, |
| 25 |
or carefully follow bugzilla for security bugs. Either way the GLSA |
| 26 |
doesn't add much. |
| 27 |
|
| 28 |
GLSAs should almost follow the lifecycle of vulnerabilities, or maybe |
| 29 |
be issued per-arch. Lots of ways to handle it. |
| 30 |
|
| 31 |
But I agree that it is out of the scope of this discussion. And I |
| 32 |
just say that as a suggestion - I accept that I haven't volunteered to |
| 33 |
retool the GLSA system and it has historically been woefully |
| 34 |
undermanned. |
| 35 |
|
| 36 |
-- |
| 37 |
Rich |
Archives