From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HFvL7-0006MM-V7 for garchives@archives.gentoo.org; Sat, 10 Feb 2007 16:44:42 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1AGgwWq024336; Sat, 10 Feb 2007 16:42:58 GMT Received: from smtp20.nijmegen.internl.net (smtp20.nijmegen.internl.net [217.149.192.18]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1AGgvF8024331 for ; Sat, 10 Feb 2007 16:42:57 GMT Received: from [192.168.1.34] by smtp20.nijmegen.internl.net via [82.215.31.76] with ESMTP for id l1AGguwO022684 (8.13.6/2.04); Sat, 10 Feb 2007 17:42:57 +0100 (CET) Message-ID: <45CDF61A.4070808@whyscream.net> Date: Sat, 10 Feb 2007 17:43:06 +0100 From: Tom Hendrikx User-Agent: Thunderbird 1.5.0.9 (X11/20061224) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] security updates References: <20070210160237.GB5317@swordfish.capgemini.hu> In-Reply-To: <20070210160237.GB5317@swordfish.capgemini.hu> X-Enigmail-Version: 0.94.2.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigE72859AD0FDE4F84EBC9ABDA" X-Archives-Salt: 58be8ea3-d45e-4ed2-a5a7-844240b7b677 X-Archives-Hash: b0c3cb56a39cfa07b8a261d2bb9a838f This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE72859AD0FDE4F84EBC9ABDA Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Nagy Gabor Peter wrote: > Hi list, >=20 > I have a question: >=20 > Since I am new to gentoo, I don't know how security updates work. >=20 > I know Debian. In Debian if I have stable installed on a production > server, I get regular security fixes, often backported from the current= > bleeding edge version, where upstream has fixed the bug to the version > that Debian stable contains. >=20 > I have noticed that in gentoo there are many versions of a package that= > are considered stable. Take glibc as an example, according to > http://packages.gentoo.org/search/?sstring=3Dglibc, on x86 there are 8 > versions available, all of them stable. >=20 > I have now two gentoo machines, one is going to be production, the > other is used to get me a little bit more familiar with the system. >=20 > On the playground machine I have 2006.1 installed, glibc 2.4-r3 > On the production machine I have 2006.0, switched to hardened profile, > and then recompile, there I have glibc 2.3.6-r5 >=20 > I see now that glibc 2.4-r3 should be upgraded to 2.4-r4 (by the way, > where can I check the differences (Changelog) between two gentoo > versions (like r3 and r4)?) On the packages.gentoo.org there is a link to the changelog that describes major changes to ebuilds. >=20 > So my question: If someone finds a bug in glibc that gets corrected, > what does the gentoo maintainers do about it? Do they backport the fix > in all 8 versions? Or just in some of the versions and mark the not > fixed ones ~? Mostly, when a package (f.i. glibc-2.3.6-r5) contains a bug, a new ebuild is released under a new revision (in this example: glibc-2.3.6-r6) and then marked stable. The vulnerable ebuild will be removed. Users do an 'emerge --sync && emerge -uD world' and get the new glibc installed. >=20 > Is there some mailinglist (like debian-security-announce) where such > security fixes are announced? Security are announced on the gentoo-announce mailing list, see http://www.gentoo.org/main/en/lists.xml for more info. >=20 > What is the reason that the hardened profile selects the 2.3.6 version > instead of the 2.4? I mean not in glibc's case only, but generally. >=20 > Does libc 2.4 have troubles with ssp? >=20 Support for PIE and/or SSP is not complete for glibc >2.3 and gcc 4. There was some overlay with usable ebuilds for these versions I'm not sure about the reason why it doesn't work yet and why it takes so much trouble, there are some ppl on this list who can explain that far better... Tom --------------enigE72859AD0FDE4F84EBC9ABDA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFzfYdeEmCqmj6IjYRAmAhAKCz82njGX8LpITSoE6u6gUorF9eAwCfXCIU d7iqO+WdXiXY2lXuIR+K33M= =wAzf -----END PGP SIGNATURE----- --------------enigE72859AD0FDE4F84EBC9ABDA-- -- gentoo-hardened@gentoo.org mailing list