From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-security+bounces-810-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1JQXdI-0006Cz-3m
	for garchives@archives.gentoo.org; Sun, 17 Feb 2008 00:43:52 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id E2DC2E0673;
	Sun, 17 Feb 2008 00:42:40 +0000 (UTC)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.171])
	by pigeon.gentoo.org (Postfix) with ESMTP id 2EB46E066E
	for <gentoo-security@lists.gentoo.org>; Sun, 17 Feb 2008 00:42:40 +0000 (UTC)
Received: by ug-out-1314.google.com with SMTP id j3so87670ugf.49
        for <gentoo-security@lists.gentoo.org>; Sat, 16 Feb 2008 16:42:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        bh=ba5Yv9XRuxCRELwZz0p1cPL3+Ug6IMYNOQBQiA/Asd8=;
        b=LstBBPVlbE0HFkrtguorIb2hL2aq190bWIJAflH2lPsMpfG5J9CQAaKtwrUsfso+U16QhTIo57rZeALdNWyWdB7zqjty3jKqbXPBTXMI5AcKN4QaSNFFWSkmQ5Seb+Kdjwxm0X9sOQTaL4KBRBH+7MTy62fUybXoddYSsddJiA0=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=jyDlus9RbsS/837xT273z1L2vw/mtT/BXJ3QLSIKpCUfKmUAO6Arp6biEZWpovszp95Nr6nAgmdy7dFMPVOz0jWGh1iprMm/9e5+1s4vGXNlxaGYl/653KkD3UUf4J4WLVRCNVj7/a70rr88cIQTwyNFz6nf3e8dd05p89C6cbY=
Received: by 10.67.20.11 with SMTP id x11mr1266608ugi.29.1203208959368;
        Sat, 16 Feb 2008 16:42:39 -0800 (PST)
Received: by 10.66.242.19 with HTTP; Sat, 16 Feb 2008 16:42:39 -0800 (PST)
Message-ID: <635498b70802161642n357cee00i87d3e7c3388ea3dc@mail.gmail.com>
Date: Sun, 17 Feb 2008 00:42:39 +0000
From: Calum <caluml@gmail.com>
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] Kernel Security + KISS
In-Reply-To: <fb3727060802161457x30472ff2v970bd41902bc8de2@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-security@lists.gentoo.org>
List-Help: <mailto:gentoo-security+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-security+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-security+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-security.gentoo.org>
X-BeenThere: gentoo-security@lists.gentoo.org
Reply-to: gentoo-security@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <fb3727060802161457x30472ff2v970bd41902bc8de2@mail.gmail.com>
X-Archives-Salt: 16d24508-8816-477b-9316-d34957d5f511
X-Archives-Hash: 5648626374312023df744bc59af8397a

On Feb 16, 2008 10:57 PM, Casey Link <unnamedrambler@gmail.com> wrote:
> After reading the tangent topic in bug id 209460 concerning kernel
> vulnerabilities and GLSAs I did some searching and
> came across the "Kernels and GLSAs" thread from awhile ago.

And here's another one:

http://archives.gentoo.org/gentoo-security/msg_b4dcb17d4fef48ce663b9352870be6a8.xml

I started this one, and share the same views as then.
It might be boring work, (and no, I can't do it - I'm just a user of
Gentoo), but it's just strange to leave out the core on which all
other packages utilise, and depend on.

Perhaps a compromise could be reached: Only serious vulnerabilities,
in defaultly/commonly/always used parts of the kernel, causing local,
or remote root escalations would be notified?

Ddos in raid-xyz.o on MIPS only in 2.6.16-rc2-mm-test - doesn't matter.
local root in splice.c on x86/amd64 affecting 95% of kernel users - does matter.

In fact, I'd prefer that to the old
create-a-GLSA-for-every-kernel-problem solution.

Anyway, it's late, and I'm tired, and I'm not detracting from the
great job the security team do (and especially the Hardened guys), but
it's nice to have just a one-stop-shop to know if you're running
secure versions of things. (*Yes, having sources-x.y.z installed
doesn't mean that you're running it, but at least it'll force you to
install the sources to stop glsa-check from bitchin' :) - and then,
well, if you don't compile, build, and run it, well, that's your own
fault. )

C

--
http://linuxvps.org/
-- 
gentoo-security@lists.gentoo.org mailing list