[PLUG] On the topic of distributions

Dan Young dan_young at parkrose.k12.or.us
Wed Jan 22 21:55:02 UTC 2003


Rich Shepard said:
>   I get notices from Red Hat when they have a package upgrade
> available that
> welds shut a security hole in the existing package. This is a rather
> handy tool for a non-SysAdmin like me who can't spend a lot of time
> each day reading bug-tracking mail lists and other such sources to
> learn of vulnerabilities removed. What do folks do to keep their
> systems secure when the distribution they run is Slackware, gentoo,
> linux-from-scratch or something else?

Gentoo's announce mailing list is largely announcements re: security
fixes. Even if you don't read those, as soon as the ebuild is updated
and unmasked, you'd see it in your "emerge rsync && emerge world -up
--deep" sequence. That is roughly equivalent to debian's "apt-get
update && apt-get upgrade -s". The recent CVS vunerabilities were
patched faily quickly by this route.

Regardless of what distribution you use, it's worth _at least_
scanning the headlines at lwn.net if just to know what vulnerabilites
are out there. Most of the high-profile ones show up there. Some
places take longer than others to release patched versions. Do you
really want to wait for your distribution to tell you about the remote
root exploit in foo-1.23?

-Dan Young






More information about the PLUG mailing list