Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Carsten Lohrke <carlo@g.o>
Subject: Re: Kernels and GLSAs
Date: Tue, 20 Sep 2005 17:30:32 +0200
On Tuesday 20 September 2005 16:44, Thierry Carrez wrote:
> We used to do GLSAs about kernel issues but then we faced major
> problems. The main one was that we issue GLSAs when vulnerabilities are
> fixed in the tree, to tell people to upgrade to a fixed package. But if
> we wait until all kernel sources are fixed in Portage, the GLSA wasn't
> out for months after the vulnerability was disclosed. Secondary problems
> were due to the fact that kernel issues were piling up in the meantime,
> so when you do issue a GLSA, it didn't cover the recent vulnerabilities
> but just told about some that were fixed months ago. So we kept on
> pushing back the GLSA release date... It just wasn't a solution.

This is indeed a problem. But the user expects a single point of information 
about vulnerabilities from a distribution - and he's absolutely right to do 
so. KISS is fine, but only as additional source. Please don't see the 
following as flaming, but: So for some reason we can't fix kernel issues in 
time or at least not on all architectures - then it's probably better to send 
out a GLSA that we drop these architectures security-wise or that we have 
problems with fixing kernel vulnerabilities, noting them and ask people to 
stop using distinct kernels or Gentoo at all in the worst case as long as we 
cannot react in acceptabe time.


Carsten
Attachment:
pgpT7NJw4vDWh.pgp (PGP signature)
Replies:
Re: Kernels and GLSAs
-- Thierry Carrez
References:
Kernels and GLSAs
-- Calum
Re: Kernels and GLSAs
-- Brian G. Peterson
Re: Kernels and GLSAs
-- Thierry Carrez
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Kernels and GLSAs
Next by thread:
Re: Kernels and GLSAs
Previous by date:
Re: Kernels and GLSAs
Next by date:
Re: Kernels and GLSAs


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.