List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Tuesday 20 September 2005 16:44, Thierry Carrez wrote:
> We used to do GLSAs about kernel issues but then we faced major
> problems. The main one was that we issue GLSAs when vulnerabilities are
> fixed in the tree, to tell people to upgrade to a fixed package. But if
> we wait until all kernel sources are fixed in Portage, the GLSA wasn't
> out for months after the vulnerability was disclosed. Secondary problems
> were due to the fact that kernel issues were piling up in the meantime,
> so when you do issue a GLSA, it didn't cover the recent vulnerabilities
> but just told about some that were fixed months ago. So we kept on
> pushing back the GLSA release date... It just wasn't a solution.
This is indeed a problem. But the user expects a single point of information
about vulnerabilities from a distribution - and he's absolutely right to do
so. KISS is fine, but only as additional source. Please don't see the
following as flaming, but: So for some reason we can't fix kernel issues in
time or at least not on all architectures - then it's probably better to send
out a GLSA that we drop these architectures security-wise or that we have
problems with fixing kernel vulnerabilities, noting them and ask people to
stop using distinct kernels or Gentoo at all in the worst case as long as we
cannot react in acceptabe time.