Gentoo Archives: gentoo-security

From: Carsten Lohrke <carlo@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernels and GLSAs
Date: Tue, 20 Sep 2005 17:56:19
Message-Id: 200509201950.40901.carlo@gentoo.org
In Reply to: Re: [gentoo-security] Kernels and GLSAs by Thierry Carrez
On Tuesday 20 September 2005 18:15, Thierry Carrez wrote:
> Carsten Lohrke wrote: > > This is indeed a problem. But the user expects a single point of > > information about vulnerabilities from a distribution - and he's > > absolutely right to do so. > > No, the user expects a single information channel. If we release Kernel > alerts (GLKAs) in the same media as GLSAs (gentoo-announce, forums and > RSS feed) he will get both. We can even name them "GLSAs" if that makes > you feel better. They just won't have the same contents and won't be > used by the same tools (see my explanation about glsa-check dealing with > installed packages rather than with currently used kernel).
I think you got me wrong here, I meant absolutely the same as you. The point is I never saw any GLKA and no GLSA regarding kernel issues for quite a while and while I do not follow the kernel development closely and kiss.gentoo.org results in 404 since some time, I'm pretty sure there is quite a number of open vulnerabilities - at least in the latest stable 2.4.x kernel.
> Thing is, we can't fix all kernel issues in time for *any* source. By > listing vulnerabilities rather than fixes, we :
What's the reason? The kernel is of course a bit more critical than Does the kernel herd need more time fixing and testing, do the arch herds need more time testing, lack of man power? Carsten