On 04/13/2016 01:26 AM, Ian Zimmerman wrote:
> On 2016-04-12 10:57 -0400, David Niklas wrote:
>
>> You could use Gentoo, you get to configure it all yourself!
>
> Funny you'd say that, I _am_ actually switching to it - on my
> "workstation" role computers. I'm already over 50% over the hump, I
> think.
>
> But on "server type" computers, I just cannot spare a dedicated security
> branch. I really don't have the time, and more importantly the nerves,
> to scramble and recompile the world when each new vulnerability is
> announced.
>
This shouldn't be worse on Gentoo than it is anywhere else. We have a
mailing list, gentoo-announce [0], where security advisories get sent.
But, they only get sent out once the vulnerability has been fixed and
marked stable /everywhere/, so they often come a little late.
Nevertheless, security issues are fixed ASAP:
1. Some vulnerability is found.
2. The security team opens a bug, and contacts the maintainer of the
affected package.
3. A fix is committed to the tree.
4. The arch teams scramble to stabilize the version with the fix.
5. The announcement is sent out.
As long as you follow a semi-regular update cycle, you shouldn't have to
do anything special, even if you run a stable system. The affected
package will be recompiled automatically as part of the updates. Any
packages *depending on* that package (like, if they're statically linked
to it) will also be recompiled. No need to recompile @world.
[0] https://www.gentoo.org/get-involved/mailing-lists/
