Calum | 16 Apr 10:36 2007
Picon

Days of yore

I remember the days, when summers were hot, winters were cold, and
notifications about kernel security were made using GLSAs.

Then they stopped without warning, and I posted:
http://archives.gentoo.org/gentoo-security/msg_04505.xml
"Now that summer time and 2005.1 are over, I expect that KISS will be
opened soon."

I must say that at the time, I didn't put much credence in that answer.

$ emerge search kiss
*** Deprecated use of action 'search', use '--search' instead
Searching...
[ Results for search key : kiss ]
[ Applications found : 0 ]

In the absence of this, can I request that kernel GLSAs are started
back up, as it seems strange that all packages use them, except for
the kernel.

I run glsa-check -l | grep '\[N\]' on my boxes each night, and get the
results emailed to me - it would be nice to get kernel notifications
too.
We can't all "monitor the "Kernel" component of the "Gentoo Security" product."

Calum
--
http://linuxvps.org/
--

-- 
gentoo-security <at> gentoo.org mailing list
(Continue reading)

Matt Poletiek | 16 Apr 10:45 2007
Picon

Re: Days of yore

Another voice in agreement with the first.

On 4/16/07, Calum <caluml <at> gmail.com> wrote:
> I remember the days, when summers were hot, winters were cold, and
> notifications about kernel security were made using GLSAs.
>
> Then they stopped without warning, and I posted:
> http://archives.gentoo.org/gentoo-security/msg_04505.xml
> "Now that summer time and 2005.1 are over, I expect that KISS will be
> opened soon."
>
> I must say that at the time, I didn't put much credence in that answer.
>
> $ emerge search kiss
> *** Deprecated use of action 'search', use '--search' instead
> Searching...
> [ Results for search key : kiss ]
> [ Applications found : 0 ]
>
>
> In the absence of this, can I request that kernel GLSAs are started
> back up, as it seems strange that all packages use them, except for
> the kernel.
>
> I run glsa-check -l | grep '\[N\]' on my boxes each night, and get the
> results emailed to me - it would be nice to get kernel notifications
> too.
> We can't all "monitor the "Kernel" component of the "Gentoo Security" product."
>
> Calum
(Continue reading)

Denis Misiurca | 16 Apr 10:55 2007
Picon

Re: Days of yore

+1
Matt Poletiek wrote:
> Another voice in agreement with the first.
> 
> On 4/16/07, Calum <caluml <at> gmail.com> wrote:
>> I remember the days, when summers were hot, winters were cold, and
>> notifications about kernel security were made using GLSAs.
--

-- 
gentoo-security <at> gentoo.org mailing list

Javier Barrio | 16 Apr 10:55 2007

Re: Days of yore


> In the absence of this, can I request that kernel GLSAs are started
> back up, as it seems strange that all packages use them, except for
> the kernel.

> Another voice in agreement with the first.

Yay, me too.

-- 
echo "dpefsAgmv{p/psh" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
GnuPG key ID 0x6D2FF8B5  <at>  pgp.rediris.es
http://www.fluzo.org/
--

-- 
gentoo-security <at> gentoo.org mailing list

"C. Bergström" | 16 Apr 11:33 2007

Re: Days of yore

Javier Barrio wrote:
>> In the absence of this, can I request that kernel GLSAs are started
>> back up, as it seems strange that all packages use them, except for
>> the kernel.
>>     
>
>   
>> Another voice in agreement with the first.
>>     
>
> Yay, me too.
>   
<aol>me too</aol>
--

-- 
gentoo-security <at> gentoo.org mailing list

Fabio A Correa | 16 Apr 12:44 2007
Picon

Re: Days of yore


A vote here.

--
Fabio A. Correa D.

Physics Dept, Universidad Nacional, Bogota, Colombia
facorread <at> gmail.com
ffaaccdd <at> yahoo.co.uk         facorread <at> unal.edu.co
My webpage and OpenPGP key at http://facorread.150m.com
facorread <at> alexandria.cc is not working anymore!!!
Lars Hartman | 16 Apr 13:15 2007

Re: Days of yore

Another Vote here

--

-- 
gentoo-security <at> gentoo.org mailing list

Kurt Lieber | 16 Apr 13:43 2007
Picon

Re: Days of yore

On 4/16/07, Lars Hartman <psychosmurfz <at> googlemail.com> wrote:
> Another Vote here

Lots of "me toos" on this list....anyone who's also willing to put
their time where their mouth is and help out with GLSA wrangling?
That's been a chronic problem with the Gentoo Security team.  Lots of
people want security notifications, but not nearly as many people are
willing to help make that happen.

For those of you willing to help, pop into #gentoo-security and talk
to the folks there about where you can contribute.

--kurt
--

-- 
gentoo-security <at> gentoo.org mailing list

Calum | 16 Apr 14:06 2007
Picon

Re: Days of yore

On 4/16/07, Kurt Lieber <klieber <at> gentoo.org> wrote:
> Lots of "me toos" on this list....

At least that means it's not just a bugbear of mine....

> anyone who's also willing to put
> their time where their mouth is and help out with GLSA wrangling?
> That's been a chronic problem with the Gentoo Security team.  Lots of
> people want security notifications, but not nearly as many people are
> willing to help make that happen.

But the infrastructure is already in place for GLSA's. It was working
like that, it was removed (with no notice that I noticed, which left
me insecure for quite a while before I wondered "why haven't there
been any kernel GLSAs for a while" and asked on the list), and some
KISS idea was proposed.

There's no need to to anything different - just to include *-sources
in the GLSAs.

If it's not broken....

-- 
http://linuxvps.org/
--

-- 
gentoo-security <at> gentoo.org mailing list

Kurt Lieber | 16 Apr 15:32 2007
Picon

Re: Days of yore

On 4/16/07, Calum <caluml <at> gmail.com> wrote:
> But the infrastructure is already in place for GLSA's.

With all due respect, you haven't the faintest idea how much work it
takes to issue a GLSA.  It's not a simple matter of typing some stuff
in an email and hitting send.  You have to chase devs down and get
them to patch their stuff.  You have to chase arch maintainers down
and get them to test things and mark them stable.  You have to chase
security people down to draft the GLSA.  You have to chase more
security people down to peer review the GLSA.

I don't know that we've ever formally quantified how much time an
average GLSA takes, but my  semi-educated guess would be in the
neighborhood of 10 hours per package.

Now, take that process and multiply it by the number of -sources in
the tree and you can start to get an idea for how much time it takes
to issue kernel updates.

So, again, #gentoo-security is where you can start being part of the solution.

--kurt
--

-- 
gentoo-security <at> gentoo.org mailing list


Gmane