| 1 |
On Feb 16, 2008 10:57 PM, Casey Link <unnamedrambler@×××××.com> wrote: |
| 2 |
> After reading the tangent topic in bug id 209460 concerning kernel |
| 3 |
> vulnerabilities and GLSAs I did some searching and |
| 4 |
> came across the "Kernels and GLSAs" thread from awhile ago. |
| 5 |
|
| 6 |
And here's another one: |
| 7 |
|
| 8 |
http://archives.gentoo.org/gentoo-security/msg_b4dcb17d4fef48ce663b9352870be6a8.xml |
| 9 |
|
| 10 |
I started this one, and share the same views as then. |
| 11 |
It might be boring work, (and no, I can't do it - I'm just a user of |
| 12 |
Gentoo), but it's just strange to leave out the core on which all |
| 13 |
other packages utilise, and depend on. |
| 14 |
|
| 15 |
Perhaps a compromise could be reached: Only serious vulnerabilities, |
| 16 |
in defaultly/commonly/always used parts of the kernel, causing local, |
| 17 |
or remote root escalations would be notified? |
| 18 |
|
| 19 |
Ddos in raid-xyz.o on MIPS only in 2.6.16-rc2-mm-test - doesn't matter. |
| 20 |
local root in splice.c on x86/amd64 affecting 95% of kernel users - does matter. |
| 21 |
|
| 22 |
In fact, I'd prefer that to the old |
| 23 |
create-a-GLSA-for-every-kernel-problem solution. |
| 24 |
|
| 25 |
Anyway, it's late, and I'm tired, and I'm not detracting from the |
| 26 |
great job the security team do (and especially the Hardened guys), but |
| 27 |
it's nice to have just a one-stop-shop to know if you're running |
| 28 |
secure versions of things. (*Yes, having sources-x.y.z installed |
| 29 |
doesn't mean that you're running it, but at least it'll force you to |
| 30 |
install the sources to stop glsa-check from bitchin' :) - and then, |
| 31 |
well, if you don't compile, build, and run it, well, that's your own |
| 32 |
fault. ) |
| 33 |
|
| 34 |
C |
| 35 |
|
| 36 |
-- |
| 37 |
http://linuxvps.org/ |
| 38 |
-- |
| 39 |
gentoo-security@l.g.o mailing list |
Archives