View previous topic :: View next topic |
Author |
Message |
Cyberstudio Apprentice
Joined: 17 Oct 2005 Posts: 240 Location: /usr/src/linux
|
Posted: Sat Apr 18, 2015 4:18 am Post subject: Does gentoo backports patches like centos and redhat? |
|
|
Hi guys!
I was wondering, does gentoo backports security patches? im thinking in packages like firefox, the kernel, apache, etc. right now i have firefox 31.5.3 (from source, stable from the tree), but the "real" firefox is 37.0.1! does that mean that im vulnerable to all the security bugs that where fixed after my 31.5.3? or my 31.5.3 has all those security bugs fixed with backports for those patches?
I know that redhat does backports (and debian too i guess?), so i was wondering about gentoo, since some packages can take a while to be marked as stable.
thanks! _________________ En los CDs de Microsoft, al reves escuchas un mensaje satanico. Eso no es lo peor, al derecho, te instala windows. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sat Apr 18, 2015 5:26 am Post subject: Re: Does gentoo backports patches like centos and redhat? |
|
|
Cyberstudio wrote: | I was wondering, does gentoo backports security patches? |
No.
And, BTW, since nobody knows for sure what might be a security bug or another bug, you cannot rely to backports too much anyway. There was just recently a blog about this on gentoo planet somewhere, how e.g. a lack of a new SSL protocol might be a much worse security bug, but you will never receive this as a backport, because it involves too deep changes in the code.
Quote: | im thinking in packages like firefox, the kernel, apache, etc. |
I would reommend to run always ~arch with these packages (and other ones like nss which are security relevant).
OTOH, nobody knows: Running ~arch always also means potentially running new bugs - also new securtiy bugs.
Some (upstream) projects have a policy to backport patches, however. IIRC, firefox does have such a policy, but I am not sure. There are also the long-tmie supported kernels. I think gentoo tries to follow these in their stabilization policy. |
|
Back to top |
|
|
Cyberstudio Apprentice
Joined: 17 Oct 2005 Posts: 240 Location: /usr/src/linux
|
Posted: Sat Apr 18, 2015 5:47 am Post subject: |
|
|
So i guess its safer if i move both kernel and firefox to ~amd64
Thanks! _________________ En los CDs de Microsoft, al reves escuchas un mensaje satanico. Eso no es lo peor, al derecho, te instala windows. |
|
Back to top |
|
|
ulenrich Veteran
Joined: 10 Oct 2010 Posts: 1480
|
Posted: Sat Apr 18, 2015 12:58 pm Post subject: |
|
|
I would follow what upstream says:
www-client/firefox-31.6.0 should have the security fixes and should run well using Gentoo-stable
sys-kernel/vanilla-sources-3.18 is the latest longterm on kernel.org.
Cannonical,Debian somewhere provide a vcs tree of security patched linux-3.16. Debian announces general patches distinct from distribution specific if you try: apt-get source ... |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3922 Location: Hamburg
|
Posted: Sat Apr 18, 2015 1:27 pm Post subject: |
|
|
Cyberstudio wrote: | So i guess its safer if i move both kernel and firefox to ~amd64
Thanks! | I do run a hardened unstable kernel here at my desktop and my server w/o any problems since few months.
Consider such a kernel as an alternative to the stable one. |
|
Back to top |
|
|
ulenrich Veteran
Joined: 10 Oct 2010 Posts: 1480
|
Posted: Sat Apr 18, 2015 1:35 pm Post subject: |
|
|
toralf wrote: | Cyberstudio wrote: | So i guess its safer if i move both kernel and firefox to ~amd64
Thanks! | I do run a hardened unstable kernel here at my desktop and my server w/o any problems since few months.
Consider such a kernel as an alternative to the stable one. |
@toralf
I remember having read "hardened-sources" is "no good" for the desktop.
But I just changed my graphics driver back from proprietary nvidia to opensource nouveau.
Would that suffice to successfully change to hardened?
What are the limitations you know about? |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3922 Location: Hamburg
|
Posted: Sat Apr 18, 2015 1:52 pm Post subject: |
|
|
ulenrich wrote: | What are the limitations you know about? | I do just have a i915 graphics here -and I do not play any video/*games. There aren't any limitations I' aware off, but it is up to you to test a hardened kernel.
Maybe you#d ask in #gentoo-hardened in IRC (freenode) for details ? |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Sat Apr 18, 2015 2:17 pm Post subject: |
|
|
I've run ~arch since the middle of 2002.
You need to be prepared for the odd nasty surprise but things are much better than they were.
~arch is no longer the hotbed of development it once was. Much of that has moved to overlays.
Mixing arch and ~arch might be worse than all ~arch. It all depends on the mix.
For ~arch, don't update when you must have a working system. You might not.
Set FEATURES=buildpkg, so you can downgrade quickly if you need to. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
|