Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: "Daniel A. Avelino" <daavelino@...>
Subject: Re: No GLSA since January?!?
Date: Fri, 26 Aug 2011 20:38:50 -0300
But Alex, this could be a great improvement in system at all. This can
help administrators to measure better its systems, and may be "force"
developers to solve issues faster.

What do you think?


Daniel

On 8/26/11, Alex Legler <a3li@g.o> wrote:
> On Friday 26 August 2011 16:02:56 Kevin Bryan wrote:
>> I was not considering the entire process, just the part that really
>> impacts me: identifying vulnerable and patched packages.  Full
>> advisories are nice, but really what I want to know is when I need to
>> update a particular package.
>>
>> You are right that marking the packages that contain fixes doesn't
>> really scale because of increased baggage to carry forward.
>>
>> The problem I have with GLSA's is that they don't come out until after
>> the problem has been fixed.
>>
>> Perhaps it would be better to just have a system to label a particular
>> ebuild/version as vulnerable.  Maybe something closer to package.mask,
>> but for security would be appropriate.  With a package.security_mask,
>> you could have anyone on the security project update that file with
>> packages as soon as they know about it and while they are waiting on the
>> devs to fix it.  References/links/impact could be noted in the comments
>> above, as package.mask does now.
>>
>> As for interacting with 'emerge', I don't think we want the same
>> semantics as package.mask, since we don't want to force a downgrade (if
>> possible).  It should probably just warn when you ask it to install a
>> vulnerable version.  Upgrades to safe versions will be quiet that way.
>> The @security would contain packages with and without fixes so you get
>> warnings for things that remain vulnerable, and updates for things that
>> are fixed.
>>
>> Thoughts?
>
> I see this as an addition to sending advisories after fixing an issue, not
> as
> a solution to the issue at hand.
>
> --
> Alex Legler <a3li@g.o>
> Gentoo Security / Ruby


References:
No GLSA since January?!?
-- Christian Kauhaus
Re: No GLSA since January?!?
-- Alex Legler
Re: No GLSA since January?!?
-- Kevin Bryan
Re: No GLSA since January?!?
-- Alex Legler
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: No GLSA since January?!?
Next by thread:
Re: No GLSA since January?!?
Previous by date:
Re: No GLSA since January?!?
Next by date:
Re: No GLSA since January?!?


Updated May 10, 2012

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.