[Is there a glsa-check equivalent for funtoo]

4 hours ago, palica said:

glsa-check doesn't provide an up-to-date information for Funtoo. Funtoo also backports lots of security fixes for the forked packages, so the information that you get with --list affected could be inaccurate or wrong.

There is a open bug for glsa-check tool for funtoo

in BFO https://bugs.funtoo.org/browse/FL-3832?jql=text ~ "glsa"

so you can subscribe to the bug and get update once such a tool is ready for funtoo. Until then you will have to check gentoo's GLSA list and check the README.rst in the kit of the package for example here:

https://github.com/funtoo/core-kit/blob/1.0-prime/README.rst

Funtoo also tries to audit forked ebuilds every 30 days. You can see all stale packages on this webpage:

http://ports.funtoo.org/stale/

If you want to help and use any of the packages that are listed as "stale" you can check if they are affected by any know vulnerabilities and report those on https://bugs.funtoo.org where they will be squashed as fast as possible.

Thank you in advance.

Thanks!

[Is there a glsa-check equivalent for funtoo]

OK, that's weird. It seems like for days even if I ran 

sudo glsa-check --list all

I'd get nothing. I mean, I'd expect to see that if I used "affected". But today if I run the same command I get output, but nothing after April 2017, which does not match with GLSA announcements . This snippet was captured right after today's ego sync.

 

<snip...>
  201702-29 [U] PHP: Multiple vulnerabilities ( dev-lang/php )
201702-30 [U] tcpdump: Multiple vulnerabilities ( net-analyzer/tcpdump )
201702-31 [U] GPL Ghostscript: Multiple vulnerabilities ( app-text/ghostscript-gpl )
201702-32 [U] Ruby Archive::Tar::Minitar: Directory traversal ( dev-ruby/archive-tar-minitar )
201703-01 [U] OpenOffice: User-assisted execution of arbitrary code ( app-office/openoffice-bin )
201703-02 [U] Adobe Flash Player: Multiple vulnerabilities ( www-plugins/adobe-flash )
201703-03 [U] PuTTY: Buffer overflow ( net-misc/putty )
201703-04 [U] cURL: Certificate validation error ( net-misc/curl )
[A] means this GLSA was marked as applied (injected),
[U] means the system is not affected and
[N] indicates that the system might be affected.

201703-05 [U] GNU Libtasn1: Denial of Service ( dev-libs/libtasn1 )
201703-06 [U] Deluge: Remote execution of arbitrary code ( net-p2p/deluge )
201703-07 [U] Xen: Privilege Escalation ( app-emulation/xen-tools )
201704-01 [U] QEMU: Multiple vulnerabilities ( app-emulation/qemu )
201704-02 [U] Chromium: Multiple vulnerabilities ( www-client/chromium )
201704-03 [U] X.Org: Multiple vulnerabilities ( x11-base/xorg-server  x11-libs/libICE  x11-libs/libXdmcp ... )

 

 

[Is there a glsa-check equivalent for funtoo]

Is there an equivalent function in funtoo for glsa-check? I'm still getting the hang of kits vs the portage tree, but as far as I can tell glsa-check always returns nothing since the meta-repo doesn't include the glsa notices.