Gentoo Archives: gentoo-security

From: Calum <caluml@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernel Security + KISS
Date: Sun, 17 Feb 2008 00:43:52
In Reply to: [gentoo-security] Kernel Security + KISS by Casey Link
On Feb 16, 2008 10:57 PM, Casey Link <unnamedrambler@×××××.com> wrote:
> After reading the tangent topic in bug id 209460 concerning kernel > vulnerabilities and GLSAs I did some searching and > came across the "Kernels and GLSAs" thread from awhile ago.
And here's another one: I started this one, and share the same views as then. It might be boring work, (and no, I can't do it - I'm just a user of Gentoo), but it's just strange to leave out the core on which all other packages utilise, and depend on. Perhaps a compromise could be reached: Only serious vulnerabilities, in defaultly/commonly/always used parts of the kernel, causing local, or remote root escalations would be notified? Ddos in raid-xyz.o on MIPS only in 2.6.16-rc2-mm-test - doesn't matter. local root in splice.c on x86/amd64 affecting 95% of kernel users - does matter. In fact, I'd prefer that to the old create-a-GLSA-for-every-kernel-problem solution. Anyway, it's late, and I'm tired, and I'm not detracting from the great job the security team do (and especially the Hardened guys), but it's nice to have just a one-stop-shop to know if you're running secure versions of things. (*Yes, having sources-x.y.z installed doesn't mean that you're running it, but at least it'll force you to install the sources to stop glsa-check from bitchin' :) - and then, well, if you don't compile, build, and run it, well, that's your own fault. ) C -- -- gentoo-security@l.g.o mailing list