From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HFuj4-0004IQ-Hm for garchives@archives.gentoo.org; Sat, 10 Feb 2007 16:05:23 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1AG3LlL018560; Sat, 10 Feb 2007 16:03:21 GMT Received: from bodri.capgemini.hu (213-163-19-139.pool.invitel.hu [213.163.19.139]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1AG3LAx018555 for ; Sat, 10 Feb 2007 16:03:21 GMT Received: from localhost (bodri [127.0.0.1]) by bodri.capgemini.hu (Postfix) with ESMTP id 988EB2A9A for ; Sat, 10 Feb 2007 17:03:14 +0100 (CET) Received: from bodri.capgemini.hu ([127.0.0.1]) by localhost (bodri [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26704-09 for ; Sat, 10 Feb 2007 17:03:14 +0100 (CET) Received: from localhost.localdomain (einstein.cghu.local [145.247.189.202]) by bodri.capgemini.hu (Postfix) with ESMTP id B9F022A9B for ; Sat, 10 Feb 2007 17:03:11 +0100 (CET) Received: from gee by localhost.localdomain with local (Exim 4.63) (envelope-from ) id 1HFugQ-0001Rw-1z for gentoo-hardened@lists.gentoo.org; Sat, 10 Feb 2007 17:02:38 +0100 Date: Sat, 10 Feb 2007 17:02:38 +0100 To: gentoo-hardened@lists.gentoo.org Subject: [gentoo-hardened] security updates Message-ID: <20070210160237.GB5317@swordfish.capgemini.hu> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.13 (2006-08-11) From: Nagy Gabor Peter X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at capgemini.hu X-Archives-Salt: da003426-eae9-43f1-862d-2bec08c554f8 X-Archives-Hash: a73b9d2fc6d8313c8b666917dfcb7357 Hi list, I have a question: Since I am new to gentoo, I don't know how security updates work. I know Debian. In Debian if I have stable installed on a production server, I get regular security fixes, often backported from the current bleeding edge version, where upstream has fixed the bug to the version that Debian stable contains. I have noticed that in gentoo there are many versions of a package that are considered stable. Take glibc as an example, according to http://packages.gentoo.org/search/?sstring=glibc, on x86 there are 8 versions available, all of them stable. I have now two gentoo machines, one is going to be production, the other is used to get me a little bit more familiar with the system. On the playground machine I have 2006.1 installed, glibc 2.4-r3 On the production machine I have 2006.0, switched to hardened profile, and then recompile, there I have glibc 2.3.6-r5 I see now that glibc 2.4-r3 should be upgraded to 2.4-r4 (by the way, where can I check the differences (Changelog) between two gentoo versions (like r3 and r4)?) So my question: If someone finds a bug in glibc that gets corrected, what does the gentoo maintainers do about it? Do they backport the fix in all 8 versions? Or just in some of the versions and mark the not fixed ones ~? Is there some mailinglist (like debian-security-announce) where such security fixes are announced? What is the reason that the hardened profile selects the 2.3.6 version instead of the 2.4? I mean not in glibc's case only, but generally. Does libc 2.4 have troubles with ssp? Cheers, G -- gentoo-hardened@gentoo.org mailing list