Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
Hi Kevin.<br><br>That is an interesting idea. So one could check about vulnerabilies solutions<br>_before_ package installation. And better. This could give us a measure about <br>how secure [think a little bit ahead] packages in portage tree are. <br>
<br>Actually, there are some mechanisms to know what is the mean time corrections are <br>provided when one look to portage's tree as a whole?<br><br>I like this idea and would like to suggest two other variables <br>
<br>SECURITY_CORRECTION_DATE<br>SECURITY_DISCOVERY_DATE<br><br>containing the date the correction was published on portage tree and<br>the date the problem was post [may be in bugzilla]<br><br>Let me go back and continue to read Security Project documentation.<br>
<br><br>Regards,<br><br>Daniel A. Avelino<br><br><br><div class="gmail_quote">On Fri, Aug 26, 2011 at 3:08 PM, Kevin Bryan <span dir="ltr"><<a href="mailto:bryank@...">bryank@...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Although I like having the summary information about what the<br>
vulnerability is, if I'm only reading them for packages I have<br>
installed, then a reference of some kind would suffice.<br>
<br>
I'd be fine even if it was just a new variable in the .ebuild file that<br>
somehow indicated which versions it was a fix for, reusing the syntax<br>
for dependency checking. A reference to the CVE or gentoo bug reference<br>
would be good, too:<br>
<br>
SECURITY_FIXES="<www-plugins/adobe-flash-10.1.102.64"<br>
SECURITY_REF="CVE:2010-2169 http://..."<br>
SECURITY_BUG="343089"<br>
SECURITY_IMPACT="remote"<br>
<br>
Then would be most of the work the committer needs to do is right there<br>
in a file they are modifying anyway.<br>
<br>
The portage @security set could also look for and evaluate these tags,<br>
instead of parsing the GLSA's.<br>
<br>
Note on the impact variable: make a few easy to understand tags:<br>
local<br>
remote<br>
remote-user-assist<br>
denial-of-service<br>
...<br>
<br>
- --Kevin<br>
<div class="im"><br>
<br>
On Fri, Aug 26, 2011 at 07:06:35PM +0200, Christian Kauhaus wrote:<br>
<br>
> Am <a href="tel:26.08.2011%2018" value="+12608201118">26.08.2011 18</a>:55, schrieb Alex Legler:<br>
> > Compared to other distributions, our advisories have been rather detailed with<br>
> > lots of manually researched information. I'm not sure if we can keep up this<br>
> > very high standard with the limited manpower, but we'll try our best.<br>
><br>
> I see the point. I think it would be an achievement over the current situation<br>
> (which is: no current GLSAs at all) to send out less detailed GLSAs. Even<br>
> something short as: "$PACKAGE has vulnerabilities, they are fixed in $VERSION,<br>
> for details see $CVE" would be immensely helpful.<br>
><br>
> Is the any viable way to get it at least to this point? Probably the largest<br>
> part of such a task could be automated. This would lift the burden from the<br>
> security maintainers.<br>
><br>
> Regards<br>
><br>
> Christian<br>
><br>
</div>-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.18 (GNU/Linux)<br>
<br>
iEYEARECAAYFAk5X4SYACgkQ6ENyPMTUmzpTLwCeIrikkC82ZC/YMALUD3AUOG71<br>
GQ0An02FoagrOJSU4kFQ8RUP+q/1+zQn<br>
=/kf5<br>
-----END PGP SIGNATURE-----<br>
<br>
</blockquote></div><br>
|
|
