Gentoo Archives: gentoo-security

From: Joost Roeleveld <joost@××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] No GLSA since January?!?
Date: Fri, 26 Aug 2011 18:01:54
Message-Id: 5519292.VcjCzOvo5r@eve
In Reply to: Re: [gentoo-security] No GLSA since January?!? by Christian Kauhaus
On Friday, August 26, 2011 07:06:35 PM Christian Kauhaus wrote:
> Am 26.08.2011 18:55, schrieb Alex Legler: > > Compared to other distributions, our advisories have been rather > > detailed with lots of manually researched information. I'm not sure if > > we can keep up this very high standard with the limited manpower, but > > we'll try our best. > I see the point. I think it would be an achievement over the current > situation (which is: no current GLSAs at all) to send out less detailed > GLSAs. Even something short as: "$PACKAGE has vulnerabilities, they are > fixed in $VERSION, for details see $CVE" would be immensely helpful. > > Is the any viable way to get it at least to this point? Probably the largest > part of such a task could be automated. This would lift the burden from the > security maintainers.
I agree on this. I don't (yet) know enough to actually help in this. I tend to follow advisories and try to keep my machines as much up-to-date as possible. More brief GSLAs like what Christian mentioned are, for the majority, sufficient. If someone really needs more information, there is always google. Maybe only list if it's a "local-only" exploit, eg. if local shell-access needs to be available already, or if it's also usable to abuse from remote. The latter being more troublesome as there are no valid user-accounts on my server and I trust all my users (me and my wife). -- Joost


Subject Author
Re: [gentoo-security] No GLSA since January?!? Alex Legler <a3li@g.o>