On Tue, Feb 8, 2011 at 12:57 PM, Fabian Groffen <grob...@gentoo.org> wrote: > On 08-02-2011 18:46:32 +0100, Andreas K. Huettel wrote: >> > Other than monitoring bugzilla, how does a Gentoo user even know that they >> > have a package pending a security update? It seems like glsa's lag >> > stabilization by a considerable timeframe. >> >> Yep. GLSA is something that seems to happen roughly one year after no >> affected package is in tree anymore. > > Well, it's not too bad lately: > http://archives.gentoo.org/gentoo-announce/
So I'll agree that it is better now in the sense that we're actually publishing them at all. However, it still seems non-ideal. Take this bug for example: http://bugs.gentoo.org/show_bug.cgi?id=351920 amd64/x86 were stable weeks ago, but the GLSA still isn't published because we're waiting on one arch. That means that anybody who does updates once a quarter or whatever except for security updates will be vulnerable, because they don't know they still have a vulnerability. Even after the last arch is updated it often takes a little time to get the GLSA published. About the only thing glsa-checking tools do for me is bug me about having libpng-1.2.44 installed (bug 340261 - most likely glsa is incorrect). I almost never catch vulnerabilities on my live system that way since even if I'm slow I get the updates installed before the glsa comes out anyway. However, I do get noise sometimes. Perhaps we should target having glsas published within a certain amount of time after a vulnerability is disclosed, whether corrected or not. We could re-publish a final notice once all is well. We really shouldn't consider users safe from a security vulnerability until the vulnerability is patched in the tree AND the notice to update has been sent out. Rich
