1 |
On Mon, 9 Feb 2004, Roman Kennke wrote: |
2 |
|
3 |
> Personally, I like the way it's done in NetBSD: There is a pkg called |
4 |
> 'audit-packages', which has 2 tools: download-vulnerability-list, which |
5 |
> does exactly that: download a current list (maintained by the NetBSD |
6 |
> security team) of pkgs, that are vulnerable (with version of course), and |
7 |
> a tool audit-packages, which checks all installed pkgs against this list. |
8 |
> The clou is, that this tool integrates with the build system (emerge in |
9 |
> Gentoo), and regularily tells you about packages which would need a |
10 |
> security update, when you update/install a package. Include these tools |
11 |
> in crontab, let yourself send the output of audit-packages and you're |
12 |
> somewhat safe about the packages on your system. |
13 |
|
14 |
This sounds pretty good. If each report includes URLs to descriptions |
15 |
of the problem (whether it's on the product's webpage, Gentoo's web |
16 |
page, CERT, SANS, or any of the various other orgs tracking this sort of |
17 |
thing, I don't care - I'd actually expect such a thing to mix and match |
18 |
as appropriate), and if there is a way to mask by both package and bug, |
19 |
then I'm not sure I could find many things to complain about on it. |
20 |
Well, speed. I have a P1 166; I can always complain about speed. |
21 |
|
22 |
(Some packages, such as dhcpcd, are currently installed because the |
23 |
system chose to install them, and I haven't yet tracked the dependency |
24 |
train to find out what requires them. But they're never used, so I |
25 |
don't care about security holes in them (unless, of course, it's a local |
26 |
priviledge escalation exploiting setuid, except that none of them have |
27 |
setuid.) But most of the time, I just happen to know that the big bad |
28 |
bug in foo is one that doesn't afflict my configuration.) |
29 |
|
30 |
Ed |
31 |
|
32 |
-- |
33 |
gentoo-security@g.o mailing list |