On Tue, 20 Sep 2005 07:16:36 -0500
"Brian G. Peterson" <brian@...> wrote:

> On Tuesday 20 September 2005 06:09 am, Calum wrote:
> > I prefer the idea that tracking one source (GLSAs) would provide me
> > with all the information I needed to keep my Gentoo boxes secure,
> > but if we were all to change to a new system, perhaps the kernel
> > GLSAs should have overlapped with this new system until it was in,
> > tested, and adopted?
> 
> While I think that kernels do need additional information to be
> supplied about a potential security hole (kernel security problems
> often occur in a module that many people may not use),  I agree that
> kernel vulnerabilities should be published as GLSAs.  
> 
> I subscribe to the GLSA RSS feed, and scan that feed manually against
> my installed software list.  The glsa-check tool is basically useless
> (as of gentoolkit-0.2.1_pre7), as it shows all GLSAs rather than just
> GLSAs for tools that correspond to packages installed on the system
> it is run on.

Can you explain this a bit more? glsa-check hasn't actually changed for
a long time. Also make sure you don't confuse the --list option with
the --test option.

Marius

-- 
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.