Days of yore

I remember the days, when summers were hot, winters were
cold, and
notifications about kernel security were made using GLSAs.

Then they stopped without warning, and I posted:
http://archives.gentoo.org/gentoo-security/msg_04505.xml

"Now that summer time and 2005.1 are over, I expect
that KISS will be
opened soon."

I must say that at the time, I didn't put much credence in
that answer.

$ emerge search kiss
*** Deprecated use of action 'search', use '--search'
instead
Searching...
[ Results for search key : kiss ]
[ Applications found : 0 ]


In the absence of this, can I request that kernel GLSAs are
started
back up, as it seems strange that all packages use them,
except for
the kernel.

I run glsa-check -l | grep '[N]' on my boxes each night,
and get the
results emailed to me - it would be nice to get kernel
notifications
too.
We can't all "monitor the "Kernel" component
of the "Gentoo Security" product."

Calum
--
http://linuxvps.org/
-- 
gentoo-securitygentoo.org mailing list

Another voice in agreement with the first.

On 4/16/07, Calum <calumlgmail.com> wrote:
> I remember the days, when summers were hot, winters
were cold, and
> notifications about kernel security were made using
GLSAs.
>
> Then they stopped without warning, and I posted:
> http://archives.gentoo.org/gentoo-security/msg_04505.xml

> "Now that summer time and 2005.1 are over, I
expect that KISS will be
> opened soon."
>
> I must say that at the time, I didn't put much credence
in that answer.
>
> $ emerge search kiss
> *** Deprecated use of action 'search', use '--search'
instead
> Searching...
> [ Results for search key : kiss ]
> [ Applications found : 0 ]
>
>
> In the absence of this, can I request that kernel GLSAs
are started
> back up, as it seems strange that all packages use
them, except for
> the kernel.
>
> I run glsa-check -l | grep '[N]' on my boxes each
night, and get the
> results emailed to me - it would be nice to get kernel
notifications
> too.
> We can't all "monitor the "Kernel"
component of the "Gentoo Security" product."
>
> Calum
> --
> http://linuxvps.org/
> --
> gentoo-securitygentoo.org mailing list
>
>


-- 
Matthew Poletiek
www.chill-fu.net
-- 
gentoo-securitygentoo.org mailing list

+1
Matt Poletiek wrote:
> Another voice in agreement with the first.
> 
> On 4/16/07, Calum <calumlgmail.com> wrote:
>> I remember the days, when summers were hot, winters
were cold, and
>> notifications about kernel security were made using
GLSAs.
-- 
gentoo-securitygentoo.org mailing list

> In the absence of this, can I request that kernel GLSAs
are started
> back up, as it seems strange that all packages use
them, except for
> the kernel.

> Another voice in agreement with the first.

Yay, me too.

-- 
echo "dpefsAgmv{p/psh" | perl -pe
's/(.)/chr(ord($1)-1)/ge'
GnuPG key ID 0x6D2FF8B5  pgp.rediris.es
http://www.fluzo.org/
-- 
gentoo-securitygentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A vote here.


- --
Fabio A. Correa D.

Physics Dept, Universidad Nacional, Bogota, Colombia
facorreadgmail.com
ffaaccddyahoo.co.uk         facorreadunal.edu.co
My webpage and OpenPGP key at http://facorread.150m.com
facorreadalexandria.cc is not working anymore!!!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFGI1ONYOZCB4zf2uQRAt5OAJ0RMypFwu6wP5rk3q7FD0rb76yIVgCg
7Ol9
nd840YNA2nu1qmkIZv8LOGs=
=wdsa
-----END PGP SIGNATURE-----
-- 
gentoo-securitygentoo.org mailing list

Another Vote here

-- 
gentoo-securitygentoo.org mailing list

On 4/16/07, Lars Hartman <psychosmurfzgooglemail.com> wrote:
> Another Vote here

Lots of "me toos" on this list....anyone who's
also willing to put
their time where their mouth is and help out with GLSA
wrangling?
That's been a chronic problem with the Gentoo Security team.
 Lots of
people want security notifications, but not nearly as many
people are
willing to help make that happen.

For those of you willing to help, pop into #gentoo-security
and talk
to the folks there about where you can contribute.

--kurt
-- 
gentoo-securitygentoo.org mailing list

On 4/16/07, Kurt Lieber <kliebergentoo.org> wrote:
> Lots of "me toos" on this list....

At least that means it's not just a bugbear of mine....

> anyone who's also willing to put
> their time where their mouth is and help out with GLSA
wrangling?
> That's been a chronic problem with the Gentoo Security
team.  Lots of
> people want security notifications, but not nearly as
many people are
> willing to help make that happen.

But the infrastructure is already in place for GLSA's. It
was working
like that, it was removed (with no notice that I noticed,
which left
me insecure for quite a while before I wondered "why
haven't there
been any kernel GLSAs for a while" and asked on the
list), and some
KISS idea was proposed.

There's no need to to anything different - just to include
*-sources
in the GLSAs.

If it's not broken....

-- 
http://linuxvps.org/
-- 
gentoo-securitygentoo.org mailing list

On 4/16/07, Calum <calumlgmail.com> wrote:
> But the infrastructure is already in place for GLSA's.

With all due respect, you haven't the faintest idea how much
work it
takes to issue a GLSA.  It's not a simple matter of typing
some stuff
in an email and hitting send.  You have to chase devs down
and get
them to patch their stuff.  You have to chase arch
maintainers down
and get them to test things and mark them stable.  You have
to chase
security people down to draft the GLSA.  You have to chase
more
security people down to peer review the GLSA.

I don't know that we've ever formally quantified how much
time an
average GLSA takes, but my  semi-educated guess would be in
the
neighborhood of 10 hours per package.

Now, take that process and multiply it by the number of
-sources in
the tree and you can start to get an idea for how much time
it takes
to issue kernel updates.

So, again, #gentoo-security is where you can start being
part of the solution.

--kurt
-- 
gentoo-securitygentoo.org mailing list

On Mon, 2007-04-16 at 08:32 -0500, Kurt Lieber wrote:
> On 4/16/07, Calum <calumlgmail.com> wrote:
> > But the infrastructure is already in place for
GLSA's.
> 
> You have to chase
> security people down to draft the GLSA.  You have to
chase more
> security people down to peer review the GLSA.

In my limited experience with vulnerabilities in packages I
maintain.
The problem or delays seem to be with the last two steps
listed. Not to
simplify them by any means, or the preceding steps.

http://
bugs.gentoo.org/show_bug.cgi?id=173122
http://
bugs.gentoo.org/show_bug.cgi?id=169433

Not to mention in my case upstream had already acted or etc,
so no
patching or etc was needed on my behalf. Just bumps and
stabilization if
anything.

> I don't know that we've ever formally quantified how
much time an
> average GLSA takes, but my  semi-educated guess would
be in the
> neighborhood of 10 hours per package.

I would not be surprised, and surely that if they have to
follow it
through from start to finish. Less if say maintaining devs
are
responsible for addressing their vulnerable package, and not
leaving it
up to others like security team. All must do their parts  to
get things
done in a timely manner.

> Now, take that process and multiply it by the number of
-sources in
> the tree and you can start to get an idea for how much
time it takes
> to issue kernel updates.

Kernel issues must be a nightmare for the security team.

> So, again, #gentoo-security is where you can start
being part of the solution.

If I had the time I would go join and help. As is, already
quite over
committed 

-- 
William L. Thomson Jr.
Gentoo/Java