| 1 |
On Tuesday 20 September 2005 06:09 am, Calum wrote: |
| 2 |
> I prefer the idea that tracking one source (GLSAs) would provide me with |
| 3 |
> all the information I needed to keep my Gentoo boxes secure, but if we |
| 4 |
> were all to change to a new system, perhaps the kernel GLSAs should have |
| 5 |
> overlapped with this new system until it was in, tested, and adopted? |
| 6 |
|
| 7 |
While I think that kernels do need additional information to be supplied about |
| 8 |
a potential security hole (kernel security problems often occur in a module |
| 9 |
that many people may not use), I agree that kernel vulnerabilities should be |
| 10 |
published as GLSAs. |
| 11 |
|
| 12 |
I subscribe to the GLSA RSS feed, and scan that feed manually against my |
| 13 |
installed software list. The glsa-check tool is basically useless (as of |
| 14 |
gentoolkit-0.2.1_pre7), as it shows all GLSAs rather than just GLSAs for |
| 15 |
tools that correspond to packages installed on the system it is run on. |
| 16 |
|
| 17 |
This document here: |
| 18 |
http://www.gentoo.org/proj/en/portage/glsa-integration.xml |
| 19 |
talks about including glsa support directly in portage, which I think is the |
| 20 |
right idea. It mentions kerlnels as covered by glsa-check. |
| 21 |
|
| 22 |
In the end, I will be happy with any tool (preferably emerge and/or equery) |
| 23 |
that can check a running system's installed packages and tell me what GLSAs |
| 24 |
apply to that system. |
| 25 |
|
| 26 |
Regards, |
| 27 |
|
| 28 |
- Brian |
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-security@g.o mailing list |
Archives