On Friday 05 May 2006 20:37, Kevin F. Quinn (Gentoo) wrote: > First, I'll get the security updates when (1) the relevant updated > package goes stable, which is usually pretty quickly, or (2) > notification is made in gentoo-announce (which must be the correct > place to get such notifications).
That they go stable quickly is a bet and not always true. When there never was an stable ebuild, there won't be an announcement. > Secondly, "Up-to-date on GLSAs" != "safe". Not by a long shot. > Further, missing GLSAs does not necessarily mean I'm vulnerable. > That's what the detail is for in the GLSAs; so I can make a judgement > call on whether I need to worry about a vulnerability or not. It's a difference, if you can trust on a security team taking care or if you have to do it all yourself. That there will never be 100% perfect security is a different topic. > Lastly, if there are versions of a package in ~arch that have known > security flaws, my understanding is that they either get patched with a > -rN bump, or they get removed from the tree in favour of a later > version that is not vulnerable. Either way, I get notification when I > next do an update. That previous ebuilds get removed is another bet, I wouldn't make. You claim "Up-to-date on GLSAs" != "safe" (which isn't wrong of course), but base your dealing with possible vulnerabilities on assumptions. That doesn't match. Carsten
pgpgVn7uk3Atu.pgp
Description: PGP signature