| 1 |
I agree, audit-packages is excellent. This is the approach i'd like to see |
| 2 |
Gentoo take. Easy to automate, simple, and effective. As you say, it's |
| 3 |
trivial to have a list of vulnerable installed packages mailed to you |
| 4 |
daily. |
| 5 |
|
| 6 |
NetBSD pkgsrc will actually not allow you to install a package with a |
| 7 |
known security problem. I believe this behaviour should be emulated in |
| 8 |
Gentoo emerge, controlled by a flag in make.conf so it can be |
| 9 |
disabled/enabled as required. Maybe USE="insecure". |
| 10 |
|
| 11 |
It would be even more effective in Gentoo than in NetBSD, as the entire |
| 12 |
Gentoo system is comprised of packages (ebuilds). The base NetBSD system |
| 13 |
is not examined by audit-packages, so if a remote root vuln is discovered |
| 14 |
in the base sendmail, audit-packages is not going to tell you. |
| 15 |
|
| 16 |
Downside of course is that someone has to build and maintain the |
| 17 |
vulnerablility list. |
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
> Personally, I like the way it's done in NetBSD: There is a pkg called |
| 22 |
> 'audit-packages', which has 2 tools: download-vulnerability-list, which |
| 23 |
> does exactly that: download a current list (maintained by the NetBSD |
| 24 |
> security team) of pkgs, that are vulnerable (with version of course), |
| 25 |
> and a tool audit-packages, which checks all installed pkgs against this |
| 26 |
> list. |
| 27 |
> The clou is, that this tool integrates with the build system (emerge in |
| 28 |
> Gentoo), and regularily tells you about packages which would need a |
| 29 |
> security update, when you update/install a package. Include these tools |
| 30 |
> in crontab, let yourself send the output of audit-packages and you're |
| 31 |
> somewhat safe about the packages on your system. |
| 32 |
|
| 33 |
-- |
| 34 |
gentoo-security@g.o mailing list |
Archives