Gentoo Archives: gentoo-security

From: Joost Roeleveld <joost@××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] No GLSA since January?!?
Date: Fri, 26 Aug 2011 19:31:51
Message-Id: 5660933.rezFHW0F9t@eve
In Reply to: Re: [gentoo-security] No GLSA since January?!? by Alex Legler
On Friday, August 26, 2011 08:07:57 PM Alex Legler wrote:
> On Friday 26 August 2011 20:00:15 Joost Roeleveld wrote: > > On Friday, August 26, 2011 07:06:35 PM Christian Kauhaus wrote: > > > Am 26.08.2011 18:55, schrieb Alex Legler: > > > > Compared to other distributions, our advisories have been rather > > > > detailed with lots of manually researched information. I'm not > > > > sure > > > > if > > > > we can keep up this very high standard with the limited > > > > manpower, > > > > but > > > > we'll try our best. > > > > > > I see the point. I think it would be an achievement over the current > > > situation (which is: no current GLSAs at all) to send out less > > > detailed > > > GLSAs. Even something short as: "$PACKAGE has vulnerabilities, they > > > are > > > fixed in $VERSION, for details see $CVE" would be immensely helpful. > > > > > > Is the any viable way to get it at least to this point? Probably the > > > largest part of such a task could be automated. This would lift the > > > burden from the security maintainers. > > > > I agree on this. > > I don't (yet) know enough to actually help in this. I tend to follow > > advisories and try to keep my machines as much up-to-date as possible. > > > > More brief GSLAs like what Christian mentioned are, for the majority, > > sufficient. If someone really needs more information, there is always > > google. > > Like I said, please use Bugzilla and some basic filtering to get > notifications until we can provide full advisories again. I realize it's > not a solution and you will get the information somewhat unfiltered, but it > is a reliable and most importantly currently available source of > information. > > Alex
Alex, If my reply seemed, in any way, to suggest I do not appreciate the amount of work that has been going into the GLSAs and the difficulty in finding the people to keep doing it, then I am sorry. It wasn't meant to sound that way. I'll go read the Padawan page and see if there is anything I can do. For others, the padawan-page can be found here: http://www.gentoo.org/security/en/padawans.xml -- Joost