1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Although I like having the summary information about what the |
5 |
vulnerability is, if I'm only reading them for packages I have |
6 |
installed, then a reference of some kind would suffice. |
7 |
|
8 |
I'd be fine even if it was just a new variable in the .ebuild file that |
9 |
somehow indicated which versions it was a fix for, reusing the syntax |
10 |
for dependency checking. A reference to the CVE or gentoo bug reference |
11 |
would be good, too: |
12 |
|
13 |
SECURITY_FIXES="<www-plugins/adobe-flash-10.1.102.64" |
14 |
SECURITY_REF="CVE:2010-2169 http://..." |
15 |
SECURITY_BUG="343089" |
16 |
SECURITY_IMPACT="remote" |
17 |
|
18 |
Then would be most of the work the committer needs to do is right there |
19 |
in a file they are modifying anyway. |
20 |
|
21 |
The portage @security set could also look for and evaluate these tags, |
22 |
instead of parsing the GLSA's. |
23 |
|
24 |
Note on the impact variable: make a few easy to understand tags: |
25 |
local |
26 |
remote |
27 |
remote-user-assist |
28 |
denial-of-service |
29 |
... |
30 |
|
31 |
- --Kevin |
32 |
|
33 |
|
34 |
On Fri, Aug 26, 2011 at 07:06:35PM +0200, Christian Kauhaus wrote: |
35 |
|
36 |
> Am 26.08.2011 18:55, schrieb Alex Legler: |
37 |
> > Compared to other distributions, our advisories have been rather detailed with |
38 |
> > lots of manually researched information. I'm not sure if we can keep up this |
39 |
> > very high standard with the limited manpower, but we'll try our best. |
40 |
> |
41 |
> I see the point. I think it would be an achievement over the current situation |
42 |
> (which is: no current GLSAs at all) to send out less detailed GLSAs. Even |
43 |
> something short as: "$PACKAGE has vulnerabilities, they are fixed in $VERSION, |
44 |
> for details see $CVE" would be immensely helpful. |
45 |
> |
46 |
> Is the any viable way to get it at least to this point? Probably the largest |
47 |
> part of such a task could be automated. This would lift the burden from the |
48 |
> security maintainers. |
49 |
> |
50 |
> Regards |
51 |
> |
52 |
> Christian |
53 |
> |
54 |
-----BEGIN PGP SIGNATURE----- |
55 |
Version: GnuPG v2.0.18 (GNU/Linux) |
56 |
|
57 |
iEYEARECAAYFAk5X4SYACgkQ6ENyPMTUmzpTLwCeIrikkC82ZC/YMALUD3AUOG71 |
58 |
GQ0An02FoagrOJSU4kFQ8RUP+q/1+zQn |
59 |
=/kf5 |
60 |
-----END PGP SIGNATURE----- |