December 23rd, 2004 08:54 PM
Gentoo - Secunia
Have a look here:
That list is massive.
The Debian list is pretty large too:
I am not a hardcore nix user, but I'm wondering why that list is so long compared to other OS's. Nearly all of the advisories are for software that Gentoo doesn't develop, but I am wondering why we don't see a massive list of advisories for other *nix OS's that (I'm guessing here) have the same software:
/me gets chipotle
December 23rd, 2004 09:03 PM
If you subscribe to BugTraq you will notice that there is a Gentoo issue nearly every day but they seem to be more in the third party products than the core OS itself.
Debian seems to get a lot of the same.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
December 23rd, 2004 09:42 PM
Gentoo and every other Linux distro generally use customized packages for their own distro. SUSE for example comes with a different style of any given package than what entoo has. SUSE customizes almost everything including the Kernel, so if Gentoo has a security flaw, which is daily, SUSE most likely doesn't.
Gentoo is terrible at this. SUSE and RedHat both use custom, and Slackware generally has a different package too. Gentoo for some reasno, and Debian, both get spanked with this. I'm not sure why because I've never looked at how those two distros do things, mainly because I don't like them.
Take the Kernel, SUSE has a custom Kernel, so if there is a flaw in Gentoo, generally it won't be for SUSE because even though it's the Linux Kernel, SUSE is custom and pretty much more secured by the SUSE security team.
December 23rd, 2004 10:20 PM
Ok, so different distros differ more than I thought.
So why are the changes that Debian and Gentoo make so drastic that they open up security vulnerabilities? Are they merely customizing software to work for the OS, or are they also making an attempt to improve the software itself?
It would probably take someone who is hardcore Debian or Gentoo to answer that one.
Merry FESTIVUS everybody
December 23rd, 2004 10:39 PM
Yeah well, everything is relative ...
Sure i can't look aside the figures, i can say it may be a misplaced figure ...
As well as Debian as Gentoo make great difference in stable - unstable packages.
For example, gentoo has a system where you can specify if you want tested or untested (latest released) packages through the for.ex. "ACCEPT_KEYWORDS=~x86" function, whereas you can specify in Debian the selection between stable - unstable - testing is , if i remember correctly, through the apt-get config. Most bugs apply at unstable, not fully released, packages.
So what i'm trying to say, if you are sticking to stable (as me) and you upgrade regularly, these presented figures don't apply actually.
I do have to admit there are people who still believe the latest versions are the best, which definetly isn't. These people would match alot of those advisories.
As they say often, a box is as good as the person who controls it ...
Anyway thats my point of view,
And also from me a Mewwy Kwistmas
December 24th, 2004 02:14 AM
I'm willing to call this a bias. Most security testers are going to use a OS that they feel is more...well hardcore. Along with this comes the whole OS groupie thing. So the more people that use an OS, the more your are going to hear from it. When was the last time you got any security announcements for college linux?
You shall no longer take things at second or third hand,
nor look through the eyes of the dead...You shall listen to all
sides and filter them for your self.
December 24th, 2004 12:17 PM
I think the important thing here is the number of unpatched advisories rather than the number in total.
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
December 25th, 2004 09:00 AM
I agree with steve.milner on this one. My opinion is that due to the testing that all the packages undergo before they get flagged as stable in the Portage tree [as described by Shrekkie above] a lot of issues show up. Yes there are many GLSAs every week, either third-party or base system-related.
It should be made clear that Gentoo gives a choice of many, many kernels.
So there's quite a few things to choose from, but not all of them are patched by the Gentoo dev team [like the vanilla sources].
ac-sources/ gentoo-sources/ ksymoops/ pegasos-dev-sources/ sparc-sources/
alpha-sources/ grsec-sources/ linux-headers/ pegasos-sources/ uclinux-sources/
ck-sources/ hardened-dev-sources/ linux26-headers/ ppc-dev-sources/ usermode-sources/
config-kernel/ hardened-sources/ mips-headers/ ppc-sources/ vanilla-sources/
development-sources/ hppa-dev-sources/ mips-sources/ ppc64-headers/ win4lin-sources/
genkernel/ hppa-headers/ mm-sources/ rsbac-dev-sources/ wolk-sources/
gentoo-dev-sources/ hppa-sources/ openmosix-sources/ rsbac-sources/ xbox-sources/
Maybe SUSE doesn't disclose as much, or maybe they can't find things in as many apps as Gentoo can. It doesn't matter. These are all open source systems and if one is so concerned to have everything top-of-the-line they should study the original webiste for each application and study the new patches and use that instead.
I myself use only stable packages on my Gentoo laptop [except for Sun's Java Compiler, v1.5] and never ran into any kind of problem. Sure I'm not a big target for the hackers of the world but my system has been standing its ground so far.
December 25th, 2004 02:50 PM
It's not that SUSE can't find things, it's simply that they have an entire team who does nothing but security, and does security audits on code like Open BSD does, so before it's released, it's already been tested, that's that.
December 25th, 2004 06:52 PM
gentoo ... isn't cutting edge ... it's bleeding edge... so you should expect certain inconsistencies.
after installation i had many problems w/ dependencies and broken paths
(of course, i'm not a linux expert)...
but Debian is considered defacto a model linux distro.... ibm has actually chosen it to be their linux standard