| 1 |
On Tuesday 20 September 2005 16:44, Thierry Carrez wrote: |
| 2 |
> We used to do GLSAs about kernel issues but then we faced major |
| 3 |
> problems. The main one was that we issue GLSAs when vulnerabilities are |
| 4 |
> fixed in the tree, to tell people to upgrade to a fixed package. But if |
| 5 |
> we wait until all kernel sources are fixed in Portage, the GLSA wasn't |
| 6 |
> out for months after the vulnerability was disclosed. Secondary problems |
| 7 |
> were due to the fact that kernel issues were piling up in the meantime, |
| 8 |
> so when you do issue a GLSA, it didn't cover the recent vulnerabilities |
| 9 |
> but just told about some that were fixed months ago. So we kept on |
| 10 |
> pushing back the GLSA release date... It just wasn't a solution. |
| 11 |
|
| 12 |
This is indeed a problem. But the user expects a single point of information |
| 13 |
about vulnerabilities from a distribution - and he's absolutely right to do |
| 14 |
so. KISS is fine, but only as additional source. Please don't see the |
| 15 |
following as flaming, but: So for some reason we can't fix kernel issues in |
| 16 |
time or at least not on all architectures - then it's probably better to send |
| 17 |
out a GLSA that we drop these architectures security-wise or that we have |
| 18 |
problems with fixing kernel vulnerabilities, noting them and ask people to |
| 19 |
stop using distinct kernels or Gentoo at all in the worst case as long as we |
| 20 |
cannot react in acceptabe time. |
| 21 |
|
| 22 |
|
| 23 |
Carsten |
Archives