On 10/17/2010 11:51 AM, Alex Legler wrote: > Excerpts from Israel G. Lugo's message of Sun Oct 17 15:59:15 +0200 2010: >> Your own >> vulnerability treatment policy ranks it as A1 level, and correctly so in >> my opinion. >> > > Besides the fact that the VTP is still not applicable to Kernel > packages, we now do seem to rank things correctly? Can you please make > up your mind?
The VTP States: Currently kernels are not covered by the GLSA release process. Vulnerabilities must still be reported and will be fixed, but no GLSA will be issued when everything is solved. To me that sounds like we still do everything the same, but we don't publish a GLSA when we're done. It is then suggested that the reason for the policy is that we have shortcomings in our current tools. It does not sound to me like we just take care of kernel root exploits whenever we get around to it, as a matter of policy. If we do not officially support security updates on the kernel the webpage should be updated to explicitly state so. Of course, it would be better to actually have a sane security policy on the kernel, even if we can't make official GLSAs. Also, tool problems or not there is no reason we couldn't grant somebody rights to post to the GLSA mailing list so that they could send out manual notifications when serious kernel vulnerabilities are fixed. As it stands, a new gentoo-sources version was fixed, but the vulnerable versions remain in portage and are not masked, so even users who run emerge world often might not have realized that the need to upgrade their kernels (as in build and install them and not just have the sources lying around). I know I usually take my time on kernel upgrades waiting for opportune moments, unless there is a serious issue with the version I'm running. This isn't about blame-finding/etc. It would be nice to look at the overall process going forward and try to improve it. That starts by admitting that next time we'd like to do better. Rich
