On Wed, Jul 6, 2016 at 8:19 AM, Kristian Fiskerstrand <k...@gentoo.org> wrote: > On 07/06/2016 02:11 PM, Rich Freeman wrote: > >> announcement (which is something we lack - we issue GLSAs sometimes >> ages after something is fixed on x86/amd64). Granted, that should be >> news enough that people are getting the message in other ways unless >> it is Gentoo-specific. > > GLSA is a separate discussion, but amd64 and x86 are not the only stable > architectures in Gentoo, and the GLEP isn't sent until stabilized across > the supported arches. That.. and a lower than wanted manpower to write > up the GLSAs vs scouting, wrangling and auditing work. >
I understand that. However, I just sometimes wonder whether that approach makes sense. The result of the current system is that we don't release GLSAs until well after a bug is fixed, sometimes after months. So, GLSAs don't tell you if you're vulnerable to a known problem (even discounting embargo periods). They only tell you if you have been slower in updating your system than every stable arch team and the GLSA team (and that is ignoring the occasional false positive). To be really secure you either need to just accept every update in the tree, or carefully follow bugzilla for security bugs. Either way the GLSA doesn't add much. GLSAs should almost follow the lifecycle of vulnerabilities, or maybe be issued per-arch. Lots of ways to handle it. But I agree that it is out of the scope of this discussion. And I just say that as a suggestion - I accept that I haven't volunteered to retool the GLSA system and it has historically been woefully undermanned. -- Rich
