Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Does gentoo backports patches like centos and redhat?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Cyberstudio
Apprentice
Apprentice


Joined: 17 Oct 2005
Posts: 240
Location: /usr/src/linux

PostPosted: Sat Apr 18, 2015 4:18 am    Post subject: Does gentoo backports patches like centos and redhat? Reply with quote

Hi guys!

I was wondering, does gentoo backports security patches? im thinking in packages like firefox, the kernel, apache, etc. right now i have firefox 31.5.3 (from source, stable from the tree), but the "real" firefox is 37.0.1! does that mean that im vulnerable to all the security bugs that where fixed after my 31.5.3? or my 31.5.3 has all those security bugs fixed with backports for those patches?

I know that redhat does backports (and debian too i guess?), so i was wondering about gentoo, since some packages can take a while to be marked as stable.

thanks!
_________________
En los CDs de Microsoft, al reves escuchas un mensaje satanico. Eso no es lo peor, al derecho, te instala windows. 8O
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6276

PostPosted: Sat Apr 18, 2015 5:26 am    Post subject: Re: Does gentoo backports patches like centos and redhat? Reply with quote

Cyberstudio wrote:
I was wondering, does gentoo backports security patches?

No.
And, BTW, since nobody knows for sure what might be a security bug or another bug, you cannot rely to backports too much anyway. There was just recently a blog about this on gentoo planet somewhere, how e.g. a lack of a new SSL protocol might be a much worse security bug, but you will never receive this as a backport, because it involves too deep changes in the code.
Quote:
im thinking in packages like firefox, the kernel, apache, etc.

I would reommend to run always ~arch with these packages (and other ones like nss which are security relevant).
OTOH, nobody knows: Running ~arch always also means potentially running new bugs - also new securtiy bugs.

Some (upstream) projects have a policy to backport patches, however. IIRC, firefox does have such a policy, but I am not sure. There are also the long-tmie supported kernels. I think gentoo tries to follow these in their stabilization policy.
Back to top
View user's profile Send private message
Cyberstudio
Apprentice
Apprentice


Joined: 17 Oct 2005
Posts: 240
Location: /usr/src/linux

PostPosted: Sat Apr 18, 2015 5:47 am    Post subject: Reply with quote

So i guess its safer if i move both kernel and firefox to ~amd64

Thanks!
_________________
En los CDs de Microsoft, al reves escuchas un mensaje satanico. Eso no es lo peor, al derecho, te instala windows. 8O
Back to top
View user's profile Send private message
ulenrich
Veteran
Veteran


Joined: 10 Oct 2010
Posts: 1371

PostPosted: Sat Apr 18, 2015 12:58 pm    Post subject: Reply with quote

I would follow what upstream says:
www-client/firefox-31.6.0 should have the security fixes and should run well using Gentoo-stable
sys-kernel/vanilla-sources-3.18 is the latest longterm on kernel.org.
Cannonical,Debian somewhere provide a vcs tree of security patched linux-3.16. Debian announces general patches distinct from distribution specific if you try: apt-get source ...
_________________
fun2gen2
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3647
Location: Hamburg

PostPosted: Sat Apr 18, 2015 1:27 pm    Post subject: Reply with quote

Cyberstudio wrote:
So i guess its safer if i move both kernel and firefox to ~amd64

Thanks!
I do run a hardened unstable kernel here at my desktop and my server w/o any problems since few months.
Consider such a kernel as an alternative to the stable one.
Back to top
View user's profile Send private message
ulenrich
Veteran
Veteran


Joined: 10 Oct 2010
Posts: 1371

PostPosted: Sat Apr 18, 2015 1:35 pm    Post subject: Reply with quote

toralf wrote:
Cyberstudio wrote:
So i guess its safer if i move both kernel and firefox to ~amd64

Thanks!
I do run a hardened unstable kernel here at my desktop and my server w/o any problems since few months.
Consider such a kernel as an alternative to the stable one.

@toralf
I remember having read "hardened-sources" is "no good" for the desktop.
But I just changed my graphics driver back from proprietary nvidia to opensource nouveau.
Would that suffice to successfully change to hardened?
What are the limitations you know about?
_________________
fun2gen2
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3647
Location: Hamburg

PostPosted: Sat Apr 18, 2015 1:52 pm    Post subject: Reply with quote

ulenrich wrote:
What are the limitations you know about?
I do just have a i915 graphics here -and I do not play any video/*games. There aren't any limitations I' aware off, but it is up to you to test a hardened kernel.
Maybe you#d ask in #gentoo-hardened in IRC (freenode) for details ?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42576
Location: 56N 3W

PostPosted: Sat Apr 18, 2015 2:17 pm    Post subject: Reply with quote

I've run ~arch since the middle of 2002.

You need to be prepared for the odd nasty surprise but things are much better than they were.
~arch is no longer the hotbed of development it once was. Much of that has moved to overlays.

Mixing arch and ~arch might be worse than all ~arch. It all depends on the mix.

For ~arch, don't update when you must have a working system. You might not.
Set FEATURES=buildpkg, so you can downgrade quickly if you need to.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum