Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm curious how various distros handle discovery of security alerts that affect their packages. Is it all up to a package maintainer to follow one of the security alert mailing lists or the source project's mailing list? Or is there a way that it is more automated, such as a script for comparing package names and versions against some security alert service?
The reason I'm wondering is that I have some apps that I compile myself, either for specific options or to get a specific version. And sometimes I have to compile their dependencies too. This means I'm now responsible for watching for security updates of all these things instead of my distro's default security checking of installed packages. It seems like a lot of work to track something like this manually.
(..) I have some apps that I compile myself, (..) This means I'm now responsible
IMO that's not as much a distribution issue as it is your freedom to choose: you chose to pass up on on what your distribution offered and take on responsibility yourself. Many distributions provide a security email list so subscribing and setting up filtering rules in your MUA should be real easy.
The government puts out weekly Vulnerability Summaries for Technical and Non-technical people. They are currently rated by threat level High, Medium, Low. It lists the "Primary Vendor -- Product" a Description, the date it was published, a score, and source and patch info links.You can subscribe to a mailing list or be notified via RSS or Atom feeds.
There is no automated system I know of, because there are just too many forks, versions . . .
Though you could probably use RSS feeds and some filters to get pretty close to just what you need.
@unSpawn - I agree that when you do this you take on that responsibility yourself, that's why I'm curious how people do this in general, so I can do the same for my self-installed apps. Seems like a lot of work, which makes me appreciate all the effort that goes into providing a distro even more.
@never say never - I see what you mean about all the variations. Just version numbers and application names would be ok, but it occurs to me now that distros split applications into different packages, they may patch source code or make other changes, they could be compiled with different options that may or may not affect the vulnerability, etc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.