From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Qx60a-0002c3-3U for garchives@archives.gentoo.org; Fri, 26 Aug 2011 23:40:20 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1AC8121C27F; Fri, 26 Aug 2011 23:40:07 +0000 (UTC) Received: from mail-yi0-f53.google.com (mail-yi0-f53.google.com [209.85.218.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 1AF5E21C0A4 for ; Fri, 26 Aug 2011 23:38:50 +0000 (UTC) Received: by yia13 with SMTP id 13so2695664yia.40 for ; Fri, 26 Aug 2011 16:38:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=GX01kRfrGR7KQ+vUkqWCsULPLtfsEo5Qyg5lMvTAMlw=; b=nvNYd6SeG0LiW6uUKy2fILczohv4pUzkN9SX9Q+55yANBc0jFJvOcK+673sSgtF0Pg gaVv90qqGUcHDLv78pw8g2lwOSL9zsEDdjAjgWN4vj4SUVE0SYPZI0gqd5u3a/L9Yozj xaFN/7zmIHuw1tQoiyj8M73/M+ziCIIGjvsxw= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@lists.gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Received: by 10.236.190.193 with SMTP id e41mr10383570yhn.118.1314401930616; Fri, 26 Aug 2011 16:38:50 -0700 (PDT) Received: by 10.147.35.4 with HTTP; Fri, 26 Aug 2011 16:38:50 -0700 (PDT) In-Reply-To: <3976476.Rt9yeGXjWz@neon> References: <4E57C5D0.8090004@gocept.com> <1841190.qkTxzWzdzW@neon> <20110826200256.GA11330@zen.cs.uri.edu> <3976476.Rt9yeGXjWz@neon> Date: Fri, 26 Aug 2011 20:38:50 -0300 Message-ID: Subject: Re: [gentoo-security] No GLSA since January?!? From: "Daniel A. Avelino" To: gentoo-security@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: X-Archives-Hash: ff5d27a6810adff029a29cd1e1914c46 But Alex, this could be a great improvement in system at all. This can help administrators to measure better its systems, and may be "force" developers to solve issues faster. What do you think? Daniel On 8/26/11, Alex Legler wrote: > On Friday 26 August 2011 16:02:56 Kevin Bryan wrote: >> I was not considering the entire process, just the part that really >> impacts me: identifying vulnerable and patched packages. Full >> advisories are nice, but really what I want to know is when I need to >> update a particular package. >> >> You are right that marking the packages that contain fixes doesn't >> really scale because of increased baggage to carry forward. >> >> The problem I have with GLSA's is that they don't come out until after >> the problem has been fixed. >> >> Perhaps it would be better to just have a system to label a particular >> ebuild/version as vulnerable. Maybe something closer to package.mask, >> but for security would be appropriate. With a package.security_mask, >> you could have anyone on the security project update that file with >> packages as soon as they know about it and while they are waiting on the >> devs to fix it. References/links/impact could be noted in the comments >> above, as package.mask does now. >> >> As for interacting with 'emerge', I don't think we want the same >> semantics as package.mask, since we don't want to force a downgrade (if >> possible). It should probably just warn when you ask it to install a >> vulnerable version. Upgrades to safe versions will be quiet that way. >> The @security would contain packages with and without fixes so you get >> warnings for things that remain vulnerable, and updates for things that >> are fixed. >> >> Thoughts? > > I see this as an addition to sending advisories after fixing an issue, not > as > a solution to the issue at hand. > > -- > Alex Legler > Gentoo Security / Ruby