| 1 |
On Mon, 9 Feb 2004, Roman Kennke wrote: |
| 2 |
|
| 3 |
> Personally, I like the way it's done in NetBSD: There is a pkg called |
| 4 |
> 'audit-packages', which has 2 tools: download-vulnerability-list, which |
| 5 |
> does exactly that: download a current list (maintained by the NetBSD |
| 6 |
> security team) of pkgs, that are vulnerable (with version of course), and |
| 7 |
> a tool audit-packages, which checks all installed pkgs against this list. |
| 8 |
> The clou is, that this tool integrates with the build system (emerge in |
| 9 |
> Gentoo), and regularily tells you about packages which would need a |
| 10 |
> security update, when you update/install a package. Include these tools |
| 11 |
> in crontab, let yourself send the output of audit-packages and you're |
| 12 |
> somewhat safe about the packages on your system. |
| 13 |
|
| 14 |
This sounds pretty good. If each report includes URLs to descriptions |
| 15 |
of the problem (whether it's on the product's webpage, Gentoo's web |
| 16 |
page, CERT, SANS, or any of the various other orgs tracking this sort of |
| 17 |
thing, I don't care - I'd actually expect such a thing to mix and match |
| 18 |
as appropriate), and if there is a way to mask by both package and bug, |
| 19 |
then I'm not sure I could find many things to complain about on it. |
| 20 |
Well, speed. I have a P1 166; I can always complain about speed. |
| 21 |
|
| 22 |
(Some packages, such as dhcpcd, are currently installed because the |
| 23 |
system chose to install them, and I haven't yet tracked the dependency |
| 24 |
train to find out what requires them. But they're never used, so I |
| 25 |
don't care about security holes in them (unless, of course, it's a local |
| 26 |
priviledge escalation exploiting setuid, except that none of them have |
| 27 |
setuid.) But most of the time, I just happen to know that the big bad |
| 28 |
bug in foo is one that doesn't afflict my configuration.) |
| 29 |
|
| 30 |
Ed |
| 31 |
|
| 32 |
-- |
| 33 |
gentoo-security@g.o mailing list |
Archives