Gentoo Archives: gentoo-security

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Days of yore
Date: Mon, 16 Apr 2007 18:38:57
In Reply to: Re: [gentoo-security] Days of yore by Calum
Hi Calum,

On Monday 16 April 2007 19:09, Calum wrote:
> Yep, It sounds like it might have been promising. However, who on > earth thought it would be a good idea to remove the functioning kernel > security alert system **before** the replacement was written, working, > heavily tested, and all the users given 12 months of notice? > (The obvious method of notification would have been to create a fake > GLSA for glsa-check.)
I'm not proud of the situation either, but it's not going to magically give me the time/skills to actually do this stuff. I agree that it has been mishandled, but given my timerestraints I simply can only wait for a good recruit to appear. I agree that policy should be updated to reflect this but that got bogged down by other issues last I tried. I'll try again.
> > This started out as a small > > problem that we thought would be temporary but has sadly turned kind of > > permanent without us informing users properly. > > This is why, when people ask me if they can "temporarily" do things in > my lab, I say no. > Temporarily often has a habit of not being.
Volunteer projects unfortunately doesn't work the way normal paid work does. If someone is willing to actually sponsor kernel GLSAs I'm sure someone will step up:-)
> Could we just get GLSAs going again for some of the most common > sources for now then? Say gentoo, and hardened? x86, and AMD? > Or some virtual ebuild that requires certain versions of kernels to be > installed, that can be updated via Portage from time to time. > Then you could script emerge -pv sys-kernel/secure-kernel-source, and > when it said it would need to install hardened-sources 2.6.26, you'd > know that there must have been a bug in <2.4.26.
I would gladly see that happen, but I guess you have to talk to hlieberman from security or some of the kernel maintainers (which are understaffed as well as far as I undestand it). Or wait for others to reply. If someone is willing to take the time to actually draft the GLSAs I'd be happy to send/review. -- Sune Kloppenborg Jeppesen Gentoo Linux Security Team


Subject Author
Re: [gentoo-security] Days of yore "C. Bergström" <cbergstrom@×××××××××.com>
Re: [gentoo-security] Days of yore Sune Kloppenborg Jeppesen <jaervosz@g.o>