Gentoo Archives: gentoo-security

From: Thierry Carrez <koon@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Kernels and GLSAs
Date: Tue, 20 Sep 2005 16:20:08
In Reply to: Re: [gentoo-security] Kernels and GLSAs by Carsten Lohrke
Carsten Lohrke wrote:

> This is indeed a problem. But the user expects a single point of information > about vulnerabilities from a distribution - and he's absolutely right to do > so.
No, the user expects a single information channel. If we release Kernel alerts (GLKAs) in the same media as GLSAs (gentoo-announce, forums and RSS feed) he will get both. We can even name them "GLSAs" if that makes you feel better. They just won't have the same contents and won't be used by the same tools (see my explanation about glsa-check dealing with installed packages rather than with currently used kernel).
> KISS is fine, but only as additional source. Please don't see the > following as flaming, but: So for some reason we can't fix kernel issues in > time or at least not on all architectures - then it's probably better to send > out a GLSA that we drop these architectures security-wise or that we have > problems with fixing kernel vulnerabilities, noting them and ask people to > stop using distinct kernels or Gentoo at all in the worst case as long as we > cannot react in acceptabe time.
Thing is, we can't fix all kernel issues in time for *any* source. By listing vulnerabilities rather than fixes, we : 1- give accurate information about kernel security status to our users, better than any distribution 2- show which sources get fixed and which don't, creating emulation between kernel source maintainers 3- leave the choice to the user as to when he wants to upgrade his kernel, rather than force him to upgrade every week for some Local DoS that doesn't even affect him. We tried the old system, it just doesn't work. It may be a manpower or an organization thing, so you're free to come and take kernel security into your own hands if you feel you can do better than us. Kernel security is even more difficult to handle than Portage security : you will see that you don't get much user support (they don't enter bugs about kernel vulnerabilities at all) and will have to deal with reluctant kernel maintainers (they batch patches to keep the work manageable, and rightly so). How do other distributions fix this ? Debian doesn't do much kernel DSAs, Ubuntu/RedHat issue a kernel per month and have a dedicated (paid) one-source kernel security team. We chose to keep Gentoo choices (multiple sources with security information on them), innovate and propose more information to our users. Just wait and see how it works rather than saying it's insufficient. -- Koon -- gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] Kernels and GLSAs Carsten Lohrke <carlo@g.o>