1 |
On Feb 16, 2008 10:57 PM, Casey Link <unnamedrambler@×××××.com> wrote: |
2 |
> After reading the tangent topic in bug id 209460 concerning kernel |
3 |
> vulnerabilities and GLSAs I did some searching and |
4 |
> came across the "Kernels and GLSAs" thread from awhile ago. |
5 |
|
6 |
And here's another one: |
7 |
|
8 |
http://archives.gentoo.org/gentoo-security/msg_b4dcb17d4fef48ce663b9352870be6a8.xml |
9 |
|
10 |
I started this one, and share the same views as then. |
11 |
It might be boring work, (and no, I can't do it - I'm just a user of |
12 |
Gentoo), but it's just strange to leave out the core on which all |
13 |
other packages utilise, and depend on. |
14 |
|
15 |
Perhaps a compromise could be reached: Only serious vulnerabilities, |
16 |
in defaultly/commonly/always used parts of the kernel, causing local, |
17 |
or remote root escalations would be notified? |
18 |
|
19 |
Ddos in raid-xyz.o on MIPS only in 2.6.16-rc2-mm-test - doesn't matter. |
20 |
local root in splice.c on x86/amd64 affecting 95% of kernel users - does matter. |
21 |
|
22 |
In fact, I'd prefer that to the old |
23 |
create-a-GLSA-for-every-kernel-problem solution. |
24 |
|
25 |
Anyway, it's late, and I'm tired, and I'm not detracting from the |
26 |
great job the security team do (and especially the Hardened guys), but |
27 |
it's nice to have just a one-stop-shop to know if you're running |
28 |
secure versions of things. (*Yes, having sources-x.y.z installed |
29 |
doesn't mean that you're running it, but at least it'll force you to |
30 |
install the sources to stop glsa-check from bitchin' :) - and then, |
31 |
well, if you don't compile, build, and run it, well, that's your own |
32 |
fault. ) |
33 |
|
34 |
C |
35 |
|
36 |
-- |
37 |
http://linuxvps.org/ |
38 |
-- |
39 |
gentoo-security@l.g.o mailing list |