On Tuesday 20 September 2005 06:09 am, Calum wrote: > I prefer the idea that tracking one source (GLSAs) would provide me with > all the information I needed to keep my Gentoo boxes secure, but if we > were all to change to a new system, perhaps the kernel GLSAs should have > overlapped with this new system until it was in, tested, and adopted?
While I think that kernels do need additional information to be supplied about a potential security hole (kernel security problems often occur in a module that many people may not use), I agree that kernel vulnerabilities should be published as GLSAs. I subscribe to the GLSA RSS feed, and scan that feed manually against my installed software list. The glsa-check tool is basically useless (as of gentoolkit-0.2.1_pre7), as it shows all GLSAs rather than just GLSAs for tools that correspond to packages installed on the system it is run on. This document here: http://www.gentoo.org/proj/en/portage/glsa-integration.xml talks about including glsa support directly in portage, which I think is the right idea. It mentions kerlnels as covered by glsa-check. In the end, I will be happy with any tool (preferably emerge and/or equery) that can check a running system's installed packages and tell me what GLSAs apply to that system. Regards, - Brian -- [email protected] mailing list
