| 1 |
On Tuesday 20 September 2005 18:15, Thierry Carrez wrote: |
| 2 |
> Carsten Lohrke wrote: |
| 3 |
> > This is indeed a problem. But the user expects a single point of |
| 4 |
> > information about vulnerabilities from a distribution - and he's |
| 5 |
> > absolutely right to do so. |
| 6 |
> |
| 7 |
> No, the user expects a single information channel. If we release Kernel |
| 8 |
> alerts (GLKAs) in the same media as GLSAs (gentoo-announce, forums and |
| 9 |
> RSS feed) he will get both. We can even name them "GLSAs" if that makes |
| 10 |
> you feel better. They just won't have the same contents and won't be |
| 11 |
> used by the same tools (see my explanation about glsa-check dealing with |
| 12 |
> installed packages rather than with currently used kernel). |
| 13 |
|
| 14 |
I think you got me wrong here, I meant absolutely the same as you. The point |
| 15 |
is I never saw any GLKA and no GLSA regarding kernel issues for quite a while |
| 16 |
and while I do not follow the kernel development closely and kiss.gentoo.org |
| 17 |
results in 404 since some time, I'm pretty sure there is quite a number of |
| 18 |
open vulnerabilities - at least in the latest stable 2.4.x kernel. |
| 19 |
|
| 20 |
> Thing is, we can't fix all kernel issues in time for *any* source. By |
| 21 |
> listing vulnerabilities rather than fixes, we : |
| 22 |
|
| 23 |
What's the reason? The kernel is of course a bit more critical than Does the |
| 24 |
kernel herd need more time fixing and testing, do the arch herds need more |
| 25 |
time testing, lack of man power? |
| 26 |
|
| 27 |
|
| 28 |
Carsten |
Archives