List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
Carsten Lohrke wrote:
> This is indeed a problem. But the user expects a single point of information
> about vulnerabilities from a distribution - and he's absolutely right to do
No, the user expects a single information channel. If we release Kernel
alerts (GLKAs) in the same media as GLSAs (gentoo-announce, forums and
RSS feed) he will get both. We can even name them "GLSAs" if that makes
you feel better. They just won't have the same contents and won't be
used by the same tools (see my explanation about glsa-check dealing with
installed packages rather than with currently used kernel).
> KISS is fine, but only as additional source. Please don't see the
> following as flaming, but: So for some reason we can't fix kernel issues in
> time or at least not on all architectures - then it's probably better to send
> out a GLSA that we drop these architectures security-wise or that we have
> problems with fixing kernel vulnerabilities, noting them and ask people to
> stop using distinct kernels or Gentoo at all in the worst case as long as we
> cannot react in acceptabe time.
Thing is, we can't fix all kernel issues in time for *any* source. By
listing vulnerabilities rather than fixes, we :
1- give accurate information about kernel security status to our users,
better than any distribution
2- show which sources get fixed and which don't, creating emulation
between kernel source maintainers
3- leave the choice to the user as to when he wants to upgrade his
kernel, rather than force him to upgrade every week for some Local DoS
that doesn't even affect him.
We tried the old system, it just doesn't work. It may be a manpower or
an organization thing, so you're free to come and take kernel security
into your own hands if you feel you can do better than us. Kernel
security is even more difficult to handle than Portage security : you
will see that you don't get much user support (they don't enter bugs
about kernel vulnerabilities at all) and will have to deal with
reluctant kernel maintainers (they batch patches to keep the work
manageable, and rightly so).
How do other distributions fix this ? Debian doesn't do much kernel
DSAs, Ubuntu/RedHat issue a kernel per month and have a dedicated (paid)
one-source kernel security team. We chose to keep Gentoo choices
(multiple sources with security information on them), innovate and
propose more information to our users.
Just wait and see how it works rather than saying it's insufficient.
firstname.lastname@example.org mailing list