

Nagy Gabor Peter wrote:
> Hi list,
> 
> I have a question:
> 
> Since I am new to gentoo, I don't know how security updates work.
> 
> I know Debian. In Debian if I have stable installed on a production
> server, I get regular security fixes, often backported from the current
> bleeding edge version, where upstream has fixed the bug to the version
> that Debian stable contains.
> 
> I have noticed that in gentoo there are many versions of a package that
> are considered stable. Take glibc as an example, according to
> http://packages.gentoo.org/search/?sstring=glibc, on x86 there are 8
> versions available, all of them stable.
> 
> I have now two gentoo machines, one is going to be production, the
> other is used to get me a little bit more familiar with the system.
> 
> On the playground machine I have 2006.1 installed, glibc 2.4-r3
> On the production machine I have 2006.0, switched to hardened profile,
> and then recompile, there I have glibc 2.3.6-r5
> 
> I see now that glibc 2.4-r3 should be upgraded to 2.4-r4 (by the way,
> where can I check the differences (Changelog) between two gentoo
> versions (like r3 and r4)?)

On the packages.gentoo.org there is a link to the changelog that
describes major changes to ebuilds.

> 
> So my question: If someone finds a bug in glibc that gets corrected,
> what does the gentoo maintainers do about it? Do they backport the fix
> in all 8 versions? Or just in some of the versions and mark the not
> fixed ones ~?

Mostly, when a package (f.i. glibc-2.3.6-r5) contains a bug, a new
ebuild is released under a new revision (in this example:
glibc-2.3.6-r6) and then marked stable. The vulnerable ebuild will be
removed. Users do an 'emerge --sync && emerge -uD world' and get the new
  glibc installed.


> 
> Is there some mailinglist (like debian-security-announce) where such
> security fixes are announced?

Security are announced on the gentoo-announce mailing list, see
http://www.gentoo.org/main/en/lists.xml for more info.

> 
> What is the reason that the hardened profile selects the 2.3.6 version
> instead of the 2.4? I mean not in glibc's case only, but generally.
> 
> Does libc 2.4 have troubles with ssp?
> 

Support for PIE and/or SSP is not complete for glibc >2.3 and gcc 4.
There was some overlay with usable ebuilds for these versions

I'm not sure about the reason why it doesn't work yet and why it takes
so much trouble, there are some ppl on this list who can explain that
far better...


Tom