Gentoo Archives: gentoo-security

From: Calum <caluml@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Days of yore
Date: Mon, 16 Apr 2007 17:19:25
In Reply to: Re: [gentoo-security] Days of yore by Marius Mauch
On 4/16/07, Marius Mauch <genone@g.o> wrote:
> > Not directly related, but you might be interested in the "affected" > target or the --mail option of glsa-check.
I am interested in that - but I don't think those options were there when I started putting those cronjobs on my servers many moons ago. Thanks though - I'll investigate. Sune:
> emerge gentoo-sources won't magically fix your > machine and besides not everyone want to upgrade their kernel for every > small issue.
Nope, of course. But those of us that used the GLSAs as a one-stop package security report were hung out to dry. (Talk about cold sweat when I found out....)
>That's why plasmaroo wrote KISS, sadly he left before it went > public and now we waiting for another tool for kernel issues. It's not even on > the horizon yet (at least not to my knowledge).
Yep, It sounds like it might have been promising. However, who on earth thought it would be a good idea to remove the functioning kernel security alert system **before** the replacement was written, working, heavily tested, and all the users given 12 months of notice? (The obvious method of notification would have been to create a fake GLSA for glsa-check.)
> This started out as a small > problem that we thought would be temporary but has sadly turned kind of > permanent without us informing users properly.
This is why, when people ask me if they can "temporarily" do things in my lab, I say no. Temporarily often has a habit of not being. Could we just get GLSAs going again for some of the most common sources for now then? Say gentoo, and hardened? x86, and AMD? Or some virtual ebuild that requires certain versions of kernels to be installed, that can be updated via Portage from time to time. Then you could script emerge -pv sys-kernel/secure-kernel-source, and when it said it would need to install hardened-sources 2.6.26, you'd know that there must have been a bug in <2.4.26. -- -- gentoo-security@g.o mailing list


Subject Author
Re: [gentoo-security] Days of yore Sune Kloppenborg Jeppesen <jaervosz@g.o>