List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Monday 16 April 2007 19:09, Calum wrote:
> Yep, It sounds like it might have been promising. However, who on
> earth thought it would be a good idea to remove the functioning kernel
> security alert system **before** the replacement was written, working,
> heavily tested, and all the users given 12 months of notice?
> (The obvious method of notification would have been to create a fake
> GLSA for glsa-check.)
I'm not proud of the situation either, but it's not going to magically give me
the time/skills to actually do this stuff. I agree that it has been
mishandled, but given my timerestraints I simply can only wait for a good
recruit to appear.
I agree that policy should be updated to reflect this but that got bogged down
by other issues last I tried. I'll try again.
> > This started out as a small
> > problem that we thought would be temporary but has sadly turned kind of
> > permanent without us informing users properly.
> This is why, when people ask me if they can "temporarily" do things in
> my lab, I say no.
> Temporarily often has a habit of not being.
Volunteer projects unfortunately doesn't work the way normal paid work does.
If someone is willing to actually sponsor kernel GLSAs I'm sure someone will
> Could we just get GLSAs going again for some of the most common
> sources for now then? Say gentoo, and hardened? x86, and AMD?
> Or some virtual ebuild that requires certain versions of kernels to be
> installed, that can be updated via Portage from time to time.
> Then you could script emerge -pv sys-kernel/secure-kernel-source, and
> when it said it would need to install hardened-sources 2.6.26, you'd
> know that there must have been a bug in <2.4.26.
I would gladly see that happen, but I guess you have to talk to hlieberman
from security or some of the kernel maintainers (which are understaffed as
well as far as I undestand it). Or wait for others to reply.
If someone is willing to take the time to actually draft the GLSAs I'd be
happy to send/review.
Sune Kloppenborg Jeppesen
Gentoo Linux Security Team