| 1 |
On Tue, 20 Sep 2005 07:16:36 -0500 |
| 2 |
"Brian G. Peterson" <brian@×××××××××.com> wrote: |
| 3 |
|
| 4 |
> On Tuesday 20 September 2005 06:09 am, Calum wrote: |
| 5 |
> > I prefer the idea that tracking one source (GLSAs) would provide me |
| 6 |
> > with all the information I needed to keep my Gentoo boxes secure, |
| 7 |
> > but if we were all to change to a new system, perhaps the kernel |
| 8 |
> > GLSAs should have overlapped with this new system until it was in, |
| 9 |
> > tested, and adopted? |
| 10 |
> |
| 11 |
> While I think that kernels do need additional information to be |
| 12 |
> supplied about a potential security hole (kernel security problems |
| 13 |
> often occur in a module that many people may not use), I agree that |
| 14 |
> kernel vulnerabilities should be published as GLSAs. |
| 15 |
> |
| 16 |
> I subscribe to the GLSA RSS feed, and scan that feed manually against |
| 17 |
> my installed software list. The glsa-check tool is basically useless |
| 18 |
> (as of gentoolkit-0.2.1_pre7), as it shows all GLSAs rather than just |
| 19 |
> GLSAs for tools that correspond to packages installed on the system |
| 20 |
> it is run on. |
| 21 |
|
| 22 |
Can you explain this a bit more? glsa-check hasn't actually changed for |
| 23 |
a long time. Also make sure you don't confuse the --list option with |
| 24 |
the --test option. |
| 25 |
|
| 26 |
Marius |
| 27 |
|
| 28 |
-- |
| 29 |
Public Key at http://www.genone.de/info/gpg-key.pub |
| 30 |
|
| 31 |
In the beginning, there was nothing. And God said, 'Let there be |
| 32 |
Light.' And there was still nothing, but you could see a bit better. |
Archives