1 |
On Wed, Jul 6, 2016 at 8:19 AM, Kristian Fiskerstrand <k_f@g.o> wrote: |
2 |
> On 07/06/2016 02:11 PM, Rich Freeman wrote: |
3 |
> |
4 |
>> announcement (which is something we lack - we issue GLSAs sometimes |
5 |
>> ages after something is fixed on x86/amd64). Granted, that should be |
6 |
>> news enough that people are getting the message in other ways unless |
7 |
>> it is Gentoo-specific. |
8 |
> |
9 |
> GLSA is a separate discussion, but amd64 and x86 are not the only stable |
10 |
> architectures in Gentoo, and the GLEP isn't sent until stabilized across |
11 |
> the supported arches. That.. and a lower than wanted manpower to write |
12 |
> up the GLSAs vs scouting, wrangling and auditing work. |
13 |
> |
14 |
|
15 |
I understand that. However, I just sometimes wonder whether that |
16 |
approach makes sense. The result of the current system is that we |
17 |
don't release GLSAs until well after a bug is fixed, sometimes after |
18 |
months. |
19 |
|
20 |
So, GLSAs don't tell you if you're vulnerable to a known problem (even |
21 |
discounting embargo periods). They only tell you if you have been |
22 |
slower in updating your system than every stable arch team and the |
23 |
GLSA team (and that is ignoring the occasional false positive). To be |
24 |
really secure you either need to just accept every update in the tree, |
25 |
or carefully follow bugzilla for security bugs. Either way the GLSA |
26 |
doesn't add much. |
27 |
|
28 |
GLSAs should almost follow the lifecycle of vulnerabilities, or maybe |
29 |
be issued per-arch. Lots of ways to handle it. |
30 |
|
31 |
But I agree that it is out of the scope of this discussion. And I |
32 |
just say that as a suggestion - I accept that I haven't volunteered to |
33 |
retool the GLSA system and it has historically been woefully |
34 |
undermanned. |
35 |
|
36 |
-- |
37 |
Rich |