# Gentoo security fixes are relatively rare

## Biker

After about two months with Gentoo, I have noticed one major difference with RedHat (which I'm slowly leaving).

Whereas RedHat very frequently produces security fixes, sometimes several times a week, the same activity in the Gentoo world is relatively rare.

If this means that the Gentoo distribution is implicated in less security related incidents, then these are good news.

If, OTOH, this means that software is less scrutinized for security bugs in the Gentoo community, these are bad news.

I thought that most Linux distributions were based largely upon the same code base, so would be just as active with security fixes.

Can someone who knows please elaborate on this?

Biker

----------

## GentooBox

well...

in redhat there is 260 packages installed by default.

everytime there is a security issue with one of the packets, then Redhat update releases a security update.

in the Gentoo world, we have 140 - 300 packages (depends on what you have installed.)

and when a new version of an apps is released, then portage will have it soon.

i have 251 packages installed on my box. (mplayer, fluxbox, apache and so on) and i update my system every day with a new version of a currently installed package.

so i dont think that its rare.

----------

## Biker

 *GentooBox wrote:*   

> so i dont think that its rare.

 

According to the forum index page, the latest GLSA was dated 7-July-2003 and posted on 19-Jul-2003. See GENTOO LINUX SECURITY ANNOUNCEMENT 200307-07 for details.

This doesn't even come close to the RedHat distribution, where (as I said) security anouncements are very often published several times a week.

Biker

----------

## mmealman

Gentoo tends to run more recent packages than Red Hat, so a lot of times you'll see alerts for a version that's much older than what Gentoo has been using for awhile.

For example, Red Hat has an alert out for postfix but it's for version 1.1. Gentoo uses postfix 2.

The gtkhtml bug is for evolution version 1.2.4 or prior, Gentoo's stable evolution is 1.4.3.

That said, I think Red Hat does a better job communicating their alerts and getting fixes out faster. I mean, the gtkhtml bug should probably be communicated to the Gentoo community so people who don't upgrade often will know to fix it.

Also RHAT has a 8-11 Konqerer alert out that does affect Gentoo, but we don't have anything up yet. Possibly because it's so recent.

Dunno if Gentoo has a full time security person or not. Maybe we could use one.

----------

## fdavid

Here is an idea of effectively spreading the security bugfixes in the gentoo community:

If an installed ebuild version contains a security bug, the portage system should report it. There could be a notation beside the existing N, U, D, R, etc. for security related updates, for example S. This would mean that the ebuild version to be installed contains a security bugfix, which is missng from the installed one.

e.g. after an "emerge -up world"

[ebuild    U S] net-www/mozilla-1.3-r1 [1.3-r3]

----------

## lightcycle

I kind of like the idea of having portage pointing out the more critical security concerns after an "emerge sync", kind of like it does whenever there's a new portage version out. Something like "Ebuild xyz is compromised, please update it at once"

----------

## MrPyro

This could also mean that emerge had an option to only install security fixes: if it's important to keep a system stable (like a server), then you could just install the security patches without upgrading other stuff. I thought I saw a discussion of this concept somewhere ages ago on the Gentoo site, but nothing seems to have happened....

----------

## To

Each time that a new version or a patch is released either from the team that builds/works a package or from gentoo core, you can installed it right away after you update your portage tree. Redhat ( I'm a former redhat linux user, used it for over 5 years ) doesn't get even close to this, also redhat updates with those rpm -Fvh ...

Tó

----------

## fdavid

 *lightcycle wrote:*   

> I kind of like the idea of having portage pointing out the more critical security concerns after an "emerge sync", kind of like it does whenever there's a new portage version out. Something like "Ebuild xyz is compromised, please update it at once"

 

It's just a matter of taste. Here is my comparison of the two solution from the point of view of presenting the information.

1. emerge sync

+ You don't need to run "emerge -up world" to see the information. Getting and seeing the information is done by a single command.

2. emerge -up world

+ You don't need to run "emerge sync" to see the information. -> You can see it again and again anytime without syncing.

+ Possibility of an option to see and to do the security updates only.

+ Better visualization. (Maybe)

+ Fits better to the portage concept. (Maybe)

Both would be great, but one is enough. I would vote for the 2nd.

----------

## Senso

Talking about security fixes, an advisory for sys-kernel/gentoo-sources was released today.

----------

## Genone

The idea of checking security updates based on GLSA is currently discussed on the gentoo-dev mailing list, the main idea is described in GLEP #14 (see http://glep.gentoo.org). If you want to take part in the discussion plese do it on the mailinglist, as following a discussion spreaded in several places is hard.

The problem that there are only few GLSAs published is that currently there is only one developer doing it. This will be changed before that GLEP will be implemented in portage.

----------

## AlterEgo

 *fdavid wrote:*   

>  *lightcycle wrote:*   I kind of like the idea of having portage pointing out the more critical security concerns after an "emerge sync", kind of like it does whenever there's a new portage version out. Something like "Ebuild xyz is compromised, please update it at once" 
> 
> 

 

There could be security issues in packages that have not explicitly been emerged, but have been installed as a dependency, and therefore will not show up in the world file.

These packages will need an ' emerge -puD world'  in order for security issues to be accurately detected.

----------

## senectus

There is also the fact that RedHat is a big arsed profitable company, with heavy business based responsabilities.. where as Gentoo really isn't...

----------

## fdavid

 *Genone wrote:*   

> The idea of checking security updates based on GLSA is currently discussed on the gentoo-dev mailing list, the main idea is described in GLEP #14 (see http://glep.gentoo.org). If you want to take part in the discussion plese do it on the mailinglist, as following a discussion spreaded in several places is hard.
> 
> The problem that there are only few GLSAs published is that currently there is only one developer doing it. This will be changed before that GLEP will be implemented in portage.

 

Thank you for the information.

----------

## JHuizingh

While it's not an automated way of fixing things, it would be very easy to use security updates for other distros within gentoo.  When you see a security update for another distro, check to see if your gentoo box is running it and if you have a version of that package that's affected.

----------

