From: Alex Legler <a3li@gentoo.org>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] No GLSA since January?!?
Date: Fri, 26 Aug 2011 20:40:29 +0200 [thread overview]
Message-ID: <1841190.qkTxzWzdzW@neon> (raw)
In-Reply-To: <20110826180838.GA21426@zen.cs.uri.edu>
[-- Attachment #1: Type: text/plain, Size: 1738 bytes --]
On Friday 26 August 2011 14:08:38 Kevin Bryan wrote:
> Although I like having the summary information about what the
> vulnerability is, if I'm only reading them for packages I have
> installed, then a reference of some kind would suffice.
>
> I'd be fine even if it was just a new variable in the .ebuild file that
> somehow indicated which versions it was a fix for, reusing the syntax
> for dependency checking. A reference to the CVE or gentoo bug reference
> would be good, too:
>
> SECURITY_FIXES="<www-plugins/adobe-flash-10.1.102.64"
> SECURITY_REF="CVE:2010-2169 http://..."
> SECURITY_BUG="343089"
> SECURITY_IMPACT="remote"
>
> Then would be most of the work the committer needs to do is right there
> in a file they are modifying anyway.
>
> The portage @security set could also look for and evaluate these tags,
> instead of parsing the GLSA's.
A complete change of the system is very unlikely.
Nevertheless: What is the end-to-end process in your solution? (i.e.
vulnerability report to 'advisory' release)
A while ago a similar solution was proposed. Basically you want to shift our
job back to the package maintainers. That might work, but rais a few new
issues.
We'd automatically lose some consistency, because not everyone would follow
the needed or wanted data scheme. Such a thing is much better to control in a
smaller and better connected group of people.
Also, cleanup and large amounts of issues in packages are issues. Browsers
usually get hundreds of CVEs assigned in a year, that would be all in the
Ebuild, and for how long?
Personally, I'm not convinced this is a model that would be an improvement
over the current situation.
Alex
--
Alex Legler <a3li@gentoo.org>
Gentoo Security / Ruby
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
next prev parent reply other threads:[~2011-08-26 18:41 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-26 16:12 [gentoo-security] No GLSA since January?!? Christian Kauhaus
2011-08-26 16:43 ` Christoph Jasinski
2011-08-26 16:57 ` JD Horelick
2011-08-26 17:18 ` Daniel A. Avelino
2011-08-26 17:57 ` Alex Legler
2011-08-26 18:22 ` Daniel A. Avelino
2011-08-26 18:44 ` Alex Legler
2011-08-26 19:27 ` Daniel A. Avelino
2011-08-26 16:55 ` Alex Legler
2011-08-26 17:06 ` Christian Kauhaus
2011-08-26 18:00 ` Joost Roeleveld
2011-08-26 18:07 ` Alex Legler
2011-08-26 19:30 ` Joost Roeleveld
2011-08-26 18:08 ` Kevin Bryan
2011-08-26 18:40 ` Alex Legler [this message]
2011-08-26 20:02 ` Kevin Bryan
2011-08-26 20:40 ` Daniel A. Avelino
2011-08-26 22:27 ` Alex Legler
2011-08-26 23:38 ` Daniel A. Avelino
2011-08-26 18:41 ` Daniel A. Avelino
2011-08-27 8:49 ` Christian Kauhaus
2011-08-27 12:13 ` Rich Freeman
2011-08-27 12:34 ` Tobias Heinlein
2011-08-27 13:06 ` Rich Freeman
2011-08-27 13:34 ` Tobias Heinlein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1841190.qkTxzWzdzW@neon \
--to=a3li@gentoo.org \
--cc=gentoo-security@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox