Gentoo Logo

About | Projects | Docs | Forums | Lists | Bugs | Get Gentoo! | Support | Planet | Wiki

Gentoo Spaceship
Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
Subject: Re: Days of yore
Date: Mon, 16 Apr 2007 20:31:27 +0200 
Hi Calum,

On Monday 16 April 2007 19:09, Calum wrote:
> Yep, It sounds like it might have been promising. However, who on
> earth thought it would be a good idea to remove the functioning kernel
> security alert system **before** the replacement was written, working,
> heavily tested, and all the users given 12 months of notice?
> (The obvious method of notification would have been to create a fake
> GLSA for glsa-check.)
I'm not proud of the situation either, but it's not going to magically give me 
the time/skills to actually do this stuff. I agree that it has been 
mishandled, but given my timerestraints I simply can only wait for a good 
recruit to appear. 

I agree that policy should be updated to reflect this but that got bogged down 
by other issues last I tried. I'll try again.

> > This started out as a small
> > problem that we thought would be temporary but has sadly turned kind of
> > permanent without us informing users properly.
>
> This is why, when people ask me if they can "temporarily" do things in
> my lab, I say no.
> Temporarily often has a habit of not being.
Volunteer projects unfortunately doesn't work the way normal paid work does. 
If someone is willing to actually sponsor kernel GLSAs I'm sure someone will 
step up:-)

> Could we just get GLSAs going again for some of the most common
> sources for now then? Say gentoo, and hardened? x86, and AMD?
> Or some virtual ebuild that requires certain versions of kernels to be
> installed, that can be updated via Portage from time to time.
> Then you could script emerge -pv sys-kernel/secure-kernel-source, and
> when it said it would need to install hardened-sources 2.6.26, you'd
> know that there must have been a bug in <2.4.26.
I would gladly see that happen, but I guess you have to talk to hlieberman 
from security or some of the kernel maintainers (which are understaffed as 
well as far as I undestand it). Or wait for others to reply.

If someone is willing to take the time to actually draft the GLSAs I'd be 
happy to send/review.

-- 
Sune Kloppenborg Jeppesen
Gentoo Linux Security Team
Attachment:
pgpLXtTNeQgL7.pgp (PGP signature)
Replies:
Re: Days of yore
-- Sune Kloppenborg Jeppesen
Re: Days of yore
-- C. Bergström
References:
Days of yore
-- Calum
Re: Days of yore
-- Marius Mauch
Re: Days of yore
-- Calum
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Days of yore
Next by thread:
Re: Days of yore
Previous by date:
Re: Days of yore
Next by date:
Re: Days of yore


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.