From Gentoo Wiki
Jump to:navigation Jump to:search

This page is intended to provide useful resources for performing security project work in Gentoo (e.g. identifying vulnerable packages, finding bugs to triage).

Bundled libraries

I started a list of such packages.


See this page for sources of new release information.



  • Note that it's very easy for a bug to get 'stuck' in one of these states, especially [upstream/ebuild] and [upstream].
  • We need to check the references and/or ask the maintainer what their plans are if a patch exists.


  • Waiting for an ebuild (upstream have released a fixed version)
  • Patch available may want to wait for new release (ask maintainer)
  • Waiting for upstream (may have been fixed since last checked, meaning we may change to upstream/ebuild or ebuild if a release was made)
  • Waiting to stable (maintainer may or may not have told us to wait, sometimes we need to ping and ask if no comment from them and been a little while)
  • Stabilisation (note that sometimes we need to ping arches if it's been a while, sometimes people forget to change the whiteboard to this, or sometimes stable is done and we need to change to cleanup)


Note that Repology isn't necessarily accurate: we may have patched vulnerabilities or already have open bugs, but it's a good sanity check.

We may need to create bugs for issues flagged up by this.