Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
On Tuesday 20 September 2005 06:09 am, Calum wrote:
> I prefer the idea that tracking one source (GLSAs) would provide me with
> all the information I needed to keep my Gentoo boxes secure, but if we
> were all to change to a new system, perhaps the kernel GLSAs should have
> overlapped with this new system until it was in, tested, and adopted?
While I think that kernels do need additional information to be supplied about
a potential security hole (kernel security problems often occur in a module
that many people may not use), I agree that kernel vulnerabilities should be
published as GLSAs.
I subscribe to the GLSA RSS feed, and scan that feed manually against my
installed software list. The glsa-check tool is basically useless (as of
gentoolkit-0.2.1_pre7), as it shows all GLSAs rather than just GLSAs for
tools that correspond to packages installed on the system it is run on.
This document here:
http://www.gentoo.org/proj/en/portage/glsa-integration.xml
talks about including glsa support directly in portage, which I think is the
right idea. It mentions kerlnels as covered by glsa-check.
In the end, I will be happy with any tool (preferably emerge and/or equery)
that can check a running system's installed packages and tell me what GLSAs
apply to that system.
Regards,
- Brian
--
gentoo-security@g.o mailing list
|
|
