--- title: 'Gentoo security' navtitle: 'Security' nav1: support nav2: security nav3: security-index nav2-show: true nav3-show: true nav3-weight: 1 body_class: nav-align-h2 layout: page-nav3 ---

Security in Gentoo Linux

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. The Security Project is tasked with providing timely information about security vulnerabilities in Gentoo Linux, along with patches to secure those vulnerabilities. We work directly with vendors, end users and other OSS projects to ensure all security incidents are responded to quickly and professionally.

You can find a document describing the policy the security team follows to treat the vulnerabilities found in the Gentoo Linux distribution on the Vulnerability Treatment Policy page.

Installing a secure Gentoo system

The Gentoo Security Handbook gives information and tips for building a secure system and hardening existing systems.

Keeping Gentoo secure

To stay up-to-date with the security fixes you should subscribe to receive GLSAs and apply GLSA instructions whenever you have an affected package installed. Alternatively, syncing your portage tree and upgrading every package should also keep you up-to-date security-wise.

You can use glsa-check tool (part of the gentoolkit package) to:

Check if a specific GLSA applies to your system (-p option)
List all GLSAs with applied/affected/unaffected status (-l option)
Apply a given GLSA to your system (-f option).

Gentoo Linux Security Announcements (GLSAs)

Gentoo Linux Security Announcements are notifications that we send out to the community to inform them of security vulnerabilities related to Gentoo Linux or the packages contained in our portage repository.

Recent advisories

{% include frontpage/glsa %}

For a full list of all published GLSAs, please see our GLSA index page.

How to receive GLSAs

GLSA announcements are sent to the gentoo-announce@gentoo.org mailing-list, and are published via RSS and Atom feeds.

Security team contact information

Gentoo Linux takes security vulnerability reports very seriously. Please file new vulnerability reports on Gentoo Bugzilla and assign them to the Gentoo Security product and Vulnerabilities component. The Gentoo Linux Security Team will ensure all security-related bug reports are responded to in a timely fashion.

If you find errors or omissions in published GLSAs, you should also file a bug in Gentoo Bugzilla in the Gentoo Security product, but with GLSA Errors component.

Report security vulnerability Report GLSA error

Confidential contacts

You have two options to submit non-public vulnerabilities to the security team. You may submit a bug in Gentoo Bugzilla using the New-Expert action, or the Enter a new bug report (advanced) link, and check the Gentoo Security checkbox in the Only users in all of the selected groups can view this bug section. You may also contact directly using encrypted mail one of the following security contacts:

Name	Responsibility	Email	OpenPGP key ID (click to retrieve public key)
Thomas Deutschmann	Security lead	whissi@gentoo.org	0x58497EE51D5D74A5
Kristian Fiskerstrand	Security lead	k_f@gentoo.org	0x0B7F8B60E3EDFAE3
Jason A. Donenfeld	Security auditing lead	zx2c4@gentoo.org	0x49FC7012A5DE03AE

Note: In order to ensure the reception and fastest possible response for any confidential situation, we encourage senders to email to at least two from the three security contacts.

Note: You can see a full list of Gentoo developers, including their OpenPGP key ID on our list of active developers.

Resources

Security pages

GLSA index page — Full list of all published GLSAs.
GLSA RSS feed — GLSA RSS live feed.
Vulnerability Treatment Policy — The official policy of the security team.
Gentoo Linux Security Project — The security project page.