1 |
I agree, audit-packages is excellent. This is the approach i'd like to see |
2 |
Gentoo take. Easy to automate, simple, and effective. As you say, it's |
3 |
trivial to have a list of vulnerable installed packages mailed to you |
4 |
daily. |
5 |
|
6 |
NetBSD pkgsrc will actually not allow you to install a package with a |
7 |
known security problem. I believe this behaviour should be emulated in |
8 |
Gentoo emerge, controlled by a flag in make.conf so it can be |
9 |
disabled/enabled as required. Maybe USE="insecure". |
10 |
|
11 |
It would be even more effective in Gentoo than in NetBSD, as the entire |
12 |
Gentoo system is comprised of packages (ebuilds). The base NetBSD system |
13 |
is not examined by audit-packages, so if a remote root vuln is discovered |
14 |
in the base sendmail, audit-packages is not going to tell you. |
15 |
|
16 |
Downside of course is that someone has to build and maintain the |
17 |
vulnerablility list. |
18 |
|
19 |
|
20 |
|
21 |
> Personally, I like the way it's done in NetBSD: There is a pkg called |
22 |
> 'audit-packages', which has 2 tools: download-vulnerability-list, which |
23 |
> does exactly that: download a current list (maintained by the NetBSD |
24 |
> security team) of pkgs, that are vulnerable (with version of course), |
25 |
> and a tool audit-packages, which checks all installed pkgs against this |
26 |
> list. |
27 |
> The clou is, that this tool integrates with the build system (emerge in |
28 |
> Gentoo), and regularily tells you about packages which would need a |
29 |
> security update, when you update/install a package. Include these tools |
30 |
> in crontab, let yourself send the output of audit-packages and you're |
31 |
> somewhat safe about the packages on your system. |
32 |
|
33 |
-- |
34 |
gentoo-security@g.o mailing list |