Gentoo Archives: gentoo-dev

From: Walter Dnes <waltdnes@××××××××.org>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] RFC: Pre-GLEP: Security Project
Date: Sun, 12 Mar 2017 06:20:35
Message-Id: 20170312061948.GA10019@waltdnes.org
In Reply to: [gentoo-dev] RFC: Pre-GLEP: Security Project by Kristian Fiskerstrand
1 - Typo...
2 Additional Security Project bugzilla notes
3 * The Security Project is except (should that read "exempt"?)
4
5
6
7 - An intermediate level before masking might be issuing a warning if
8 some simple, specific remediation measure can protect against a
9 vulnerability. E.g. forcing cups to only listen to 127.0.0.1 or :1
10
11 - If you want to absolutely ensure that people are warned of a severe,
12 but remediable vulnerability, is it acceptable to "break the build"
13 by requiring a new local USE flag for the ebuild? I'm thinking of
14 something like "glep_0001234", "glep_0001235", "glep_0001236", etc,
15 and have the ebuild die if the flag is not set, and print out a URL
16 for a security problem. This could be abstracted to make.conf with
17 a new variable...
18
19 GLEP="0001234 0001235 0001236 etc etc"
20
21 This would probably be the last stage before masking. It would
22 deliberately break the build, and require the user/admin to take manual
23 action (add the flag for the GLEP) before proceeding further. This is
24 a heavy-handed method, but masking is more final.
25
26 --
27 Walter Dnes <waltdnes@××××××××.org>
28 I don't run "desktop environments"; I run useful applications

Replies

Subject Author
Re: [gentoo-dev] RFC: Pre-GLEP: Security Project Kristian Fiskerstrand <k_f@g.o>