List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Friday, August 26, 2011 07:06:35 PM Christian Kauhaus wrote:
> Am 26.08.2011 18:55, schrieb Alex Legler:
> > Compared to other distributions, our advisories have been rather
> > detailed with lots of manually researched information. I'm not sure if
> > we can keep up this very high standard with the limited manpower, but
> > we'll try our best.
> I see the point. I think it would be an achievement over the current
> situation (which is: no current GLSAs at all) to send out less detailed
> GLSAs. Even something short as: "$PACKAGE has vulnerabilities, they are
> fixed in $VERSION, for details see $CVE" would be immensely helpful.
> Is the any viable way to get it at least to this point? Probably the largest
> part of such a task could be automated. This would lift the burden from the
> security maintainers.
I agree on this.
I don't (yet) know enough to actually help in this. I tend to follow
advisories and try to keep my machines as much up-to-date as possible.
More brief GSLAs like what Christian mentioned are, for the majority,
sufficient. If someone really needs more information, there is always google.
Maybe only list if it's a "local-only" exploit, eg. if local shell-access
needs to be available already, or if it's also usable to abuse from remote.
The latter being more troublesome as there are no valid user-accounts on my
server and I trust all my users (me and my wife).