1 |
On Tuesday 20 September 2005 16:44, Thierry Carrez wrote: |
2 |
> We used to do GLSAs about kernel issues but then we faced major |
3 |
> problems. The main one was that we issue GLSAs when vulnerabilities are |
4 |
> fixed in the tree, to tell people to upgrade to a fixed package. But if |
5 |
> we wait until all kernel sources are fixed in Portage, the GLSA wasn't |
6 |
> out for months after the vulnerability was disclosed. Secondary problems |
7 |
> were due to the fact that kernel issues were piling up in the meantime, |
8 |
> so when you do issue a GLSA, it didn't cover the recent vulnerabilities |
9 |
> but just told about some that were fixed months ago. So we kept on |
10 |
> pushing back the GLSA release date... It just wasn't a solution. |
11 |
|
12 |
This is indeed a problem. But the user expects a single point of information |
13 |
about vulnerabilities from a distribution - and he's absolutely right to do |
14 |
so. KISS is fine, but only as additional source. Please don't see the |
15 |
following as flaming, but: So for some reason we can't fix kernel issues in |
16 |
time or at least not on all architectures - then it's probably better to send |
17 |
out a GLSA that we drop these architectures security-wise or that we have |
18 |
problems with fixing kernel vulnerabilities, noting them and ask people to |
19 |
stop using distinct kernels or Gentoo at all in the worst case as long as we |
20 |
cannot react in acceptabe time. |
21 |
|
22 |
|
23 |
Carsten |