1 |
On Tuesday 20 September 2005 06:09 am, Calum wrote: |
2 |
> I prefer the idea that tracking one source (GLSAs) would provide me with |
3 |
> all the information I needed to keep my Gentoo boxes secure, but if we |
4 |
> were all to change to a new system, perhaps the kernel GLSAs should have |
5 |
> overlapped with this new system until it was in, tested, and adopted? |
6 |
|
7 |
While I think that kernels do need additional information to be supplied about |
8 |
a potential security hole (kernel security problems often occur in a module |
9 |
that many people may not use), I agree that kernel vulnerabilities should be |
10 |
published as GLSAs. |
11 |
|
12 |
I subscribe to the GLSA RSS feed, and scan that feed manually against my |
13 |
installed software list. The glsa-check tool is basically useless (as of |
14 |
gentoolkit-0.2.1_pre7), as it shows all GLSAs rather than just GLSAs for |
15 |
tools that correspond to packages installed on the system it is run on. |
16 |
|
17 |
This document here: |
18 |
http://www.gentoo.org/proj/en/portage/glsa-integration.xml |
19 |
talks about including glsa support directly in portage, which I think is the |
20 |
right idea. It mentions kerlnels as covered by glsa-check. |
21 |
|
22 |
In the end, I will be happy with any tool (preferably emerge and/or equery) |
23 |
that can check a running system's installed packages and tell me what GLSAs |
24 |
apply to that system. |
25 |
|
26 |
Regards, |
27 |
|
28 |
- Brian |
29 |
|
30 |
-- |
31 |
gentoo-security@g.o mailing list |