Gentoo Archives: gentoo-security

From: Christian Kauhaus <kc@××××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] No GLSA since January?!?
Date: Sat, 27 Aug 2011 08:50:58
In Reply to: Re: [gentoo-security] No GLSA since January?!? by Kevin Bryan
Am 26.08.2011 20:08, schrieb Kevin Bryan:
> SECURITY_FIXES="<www-plugins/adobe-flash-" > SECURITY_REF="CVE:2010-2169 http://..." > SECURITY_BUG="343089" > SECURITY_IMPACT="remote"
Your idea sounds interesting and could lead to very cool technology like the 'ACCEPT_RISKS="..."' variable mentioned elsewhere in this thread. But it does not solve a major part of the use case. In my opinion, we need to get notifications about security risks over an independent channel without having to update the portage tree. For me (and the rest of my company) the greatest advantage of Gentoo over other distributions it it's "continuous integration" approach. Updates get committed to the portage tree continuously over time and administrators are completely free on how often and when they update their systems. This is great. But given I have an installed base and I have no reason to update the portage tree now, I need a reliable information about "this package is borked". Then I should go for update as fast as possible of course. :-) So in consequence I would appreciate to have both mechanisms: a timely up-front notification via GLSAs (probably more brief than the past ones) and some sort of security masking. Regards Christian -- Dipl.-Inf. Christian Kauhaus <>< · kc@××××××.com · systems administration gocept gmbh & co. kg · forsterstraße 29 · 06112 halle (saale) · germany · tel +49 345 1229889 11 · fax +49 345 1229889 1 Zope and Plone consulting and development


Subject Author
Re: [gentoo-security] No GLSA since January?!? Rich Freeman <rich0@g.o>