List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On 10/17/2010 11:51 AM, Alex Legler wrote:
> Excerpts from Israel G. Lugo's message of Sun Oct 17 15:59:15 +0200 2010:
>> Your own
>> vulnerability treatment policy ranks it as A1 level, and correctly so in
>> my opinion.
> Besides the fact that the VTP is still not applicable to Kernel
> packages, we now do seem to rank things correctly? Can you please make
> up your mind?
The VTP States:
Currently kernels are not covered by the GLSA release process.
Vulnerabilities must still be reported and will be fixed, but no GLSA
will be issued when everything is solved.
To me that sounds like we still do everything the same, but we don't
publish a GLSA when we're done. It is then suggested that the reason
for the policy is that we have shortcomings in our current tools.
It does not sound to me like we just take care of kernel root exploits
whenever we get around to it, as a matter of policy.
If we do not officially support security updates on the kernel the
webpage should be updated to explicitly state so. Of course, it would
be better to actually have a sane security policy on the kernel, even if
we can't make official GLSAs. Also, tool problems or not there is no
reason we couldn't grant somebody rights to post to the GLSA mailing
list so that they could send out manual notifications when serious
kernel vulnerabilities are fixed.
As it stands, a new gentoo-sources version was fixed, but the vulnerable
versions remain in portage and are not masked, so even users who run
emerge world often might not have realized that the need to upgrade
their kernels (as in build and install them and not just have the
sources lying around). I know I usually take my time on kernel upgrades
waiting for opportune moments, unless there is a serious issue with the
version I'm running.
This isn't about blame-finding/etc. It would be nice to look at the
overall process going forward and try to improve it. That starts by
admitting that next time we'd like to do better.