From: "Daniel A. Avelino" <daavelino@gmail.com>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] No GLSA since January?!?
Date: Fri, 26 Aug 2011 20:38:50 -0300 [thread overview]
Message-ID: <CAKdB2xEq3oc+0DJCMouwdirGfZMd8rVERFG2Fs8MEW98xfZYng@mail.gmail.com> (raw)
In-Reply-To: <3976476.Rt9yeGXjWz@neon>
But Alex, this could be a great improvement in system at all. This can
help administrators to measure better its systems, and may be "force"
developers to solve issues faster.
What do you think?
Daniel
On 8/26/11, Alex Legler <a3li@gentoo.org> wrote:
> On Friday 26 August 2011 16:02:56 Kevin Bryan wrote:
>> I was not considering the entire process, just the part that really
>> impacts me: identifying vulnerable and patched packages. Full
>> advisories are nice, but really what I want to know is when I need to
>> update a particular package.
>>
>> You are right that marking the packages that contain fixes doesn't
>> really scale because of increased baggage to carry forward.
>>
>> The problem I have with GLSA's is that they don't come out until after
>> the problem has been fixed.
>>
>> Perhaps it would be better to just have a system to label a particular
>> ebuild/version as vulnerable. Maybe something closer to package.mask,
>> but for security would be appropriate. With a package.security_mask,
>> you could have anyone on the security project update that file with
>> packages as soon as they know about it and while they are waiting on the
>> devs to fix it. References/links/impact could be noted in the comments
>> above, as package.mask does now.
>>
>> As for interacting with 'emerge', I don't think we want the same
>> semantics as package.mask, since we don't want to force a downgrade (if
>> possible). It should probably just warn when you ask it to install a
>> vulnerable version. Upgrades to safe versions will be quiet that way.
>> The @security would contain packages with and without fixes so you get
>> warnings for things that remain vulnerable, and updates for things that
>> are fixed.
>>
>> Thoughts?
>
> I see this as an addition to sending advisories after fixing an issue, not
> as
> a solution to the issue at hand.
>
> --
> Alex Legler <a3li@gentoo.org>
> Gentoo Security / Ruby
next prev parent reply other threads:[~2011-08-26 23:40 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-26 16:12 [gentoo-security] No GLSA since January?!? Christian Kauhaus
2011-08-26 16:43 ` Christoph Jasinski
2011-08-26 16:57 ` JD Horelick
2011-08-26 17:18 ` Daniel A. Avelino
2011-08-26 17:57 ` Alex Legler
2011-08-26 18:22 ` Daniel A. Avelino
2011-08-26 18:44 ` Alex Legler
2011-08-26 19:27 ` Daniel A. Avelino
2011-08-26 16:55 ` Alex Legler
2011-08-26 17:06 ` Christian Kauhaus
2011-08-26 18:00 ` Joost Roeleveld
2011-08-26 18:07 ` Alex Legler
2011-08-26 19:30 ` Joost Roeleveld
2011-08-26 18:08 ` Kevin Bryan
2011-08-26 18:40 ` Alex Legler
2011-08-26 20:02 ` Kevin Bryan
2011-08-26 20:40 ` Daniel A. Avelino
2011-08-26 22:27 ` Alex Legler
2011-08-26 23:38 ` Daniel A. Avelino [this message]
2011-08-26 18:41 ` Daniel A. Avelino
2011-08-27 8:49 ` Christian Kauhaus
2011-08-27 12:13 ` Rich Freeman
2011-08-27 12:34 ` Tobias Heinlein
2011-08-27 13:06 ` Rich Freeman
2011-08-27 13:34 ` Tobias Heinlein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKdB2xEq3oc+0DJCMouwdirGfZMd8rVERFG2Fs8MEW98xfZYng@mail.gmail.com \
--to=daavelino@gmail.com \
--cc=gentoo-security@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox