On Tuesday 20 September 2005 16:44, Thierry Carrez wrote: > We used to do GLSAs about kernel issues but then we faced major > problems. The main one was that we issue GLSAs when vulnerabilities are > fixed in the tree, to tell people to upgrade to a fixed package. But if > we wait until all kernel sources are fixed in Portage, the GLSA wasn't > out for months after the vulnerability was disclosed. Secondary problems > were due to the fact that kernel issues were piling up in the meantime, > so when you do issue a GLSA, it didn't cover the recent vulnerabilities > but just told about some that were fixed months ago. So we kept on > pushing back the GLSA release date... It just wasn't a solution.
This is indeed a problem. But the user expects a single point of information about vulnerabilities from a distribution - and he's absolutely right to do so. KISS is fine, but only as additional source. Please don't see the following as flaming, but: So for some reason we can't fix kernel issues in time or at least not on all architectures - then it's probably better to send out a GLSA that we drop these architectures security-wise or that we have problems with fixing kernel vulnerabilities, noting them and ask people to stop using distinct kernels or Gentoo at all in the worst case as long as we cannot react in acceptabe time. Carsten
pgpMNIMcf1L4W.pgp
Description: PGP signature
