Gentoo Archives: gentoo-security

From: Joost Roeleveld <joost@××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] No GLSA since January?!?
Date: Fri, 26 Aug 2011 18:01:54
Message-Id: 5519292.VcjCzOvo5r@eve
In Reply to: Re: [gentoo-security] No GLSA since January?!? by Christian Kauhaus
1 On Friday, August 26, 2011 07:06:35 PM Christian Kauhaus wrote:
2 > Am 26.08.2011 18:55, schrieb Alex Legler:
3 > > Compared to other distributions, our advisories have been rather
4 > > detailed with lots of manually researched information. I'm not sure if
5 > > we can keep up this very high standard with the limited manpower, but
6 > > we'll try our best.
7 > I see the point. I think it would be an achievement over the current
8 > situation (which is: no current GLSAs at all) to send out less detailed
9 > GLSAs. Even something short as: "$PACKAGE has vulnerabilities, they are
10 > fixed in $VERSION, for details see $CVE" would be immensely helpful.
11 >
12 > Is the any viable way to get it at least to this point? Probably the largest
13 > part of such a task could be automated. This would lift the burden from the
14 > security maintainers.
16 I agree on this.
17 I don't (yet) know enough to actually help in this. I tend to follow
18 advisories and try to keep my machines as much up-to-date as possible.
20 More brief GSLAs like what Christian mentioned are, for the majority,
21 sufficient. If someone really needs more information, there is always google.
23 Maybe only list if it's a "local-only" exploit, eg. if local shell-access
24 needs to be available already, or if it's also usable to abuse from remote.
25 The latter being more troublesome as there are no valid user-accounts on my
26 server and I trust all my users (me and my wife).
28 --
29 Joost


Subject Author
Re: [gentoo-security] No GLSA since January?!? Alex Legler <a3li@g.o>