glsa-check should have an additional option to list only the packages that may be affected by a security problem [N]. Right now it shows a lot of unaffected glsa packages, that are classified as [U]. Those packages which do not apply to the current system only adds complexity to the list. Reproducible: Always Steps to Reproduce: 1. emerge gentoolkit 2. glsa-check -l Actual Results: [A] means this GLSA was already applied, [U] means the system is not affected and [N] indicates that the system might be affected. 200401-01 [U] Linux kernel do_mremap() local privilege escalation vulnerability ( sys-kernel/alpha-sources sys-kernel/ck-sources sys-kernel/hppa-sources ... ) 200401-02 [U] Honeyd remote detection vulnerability via a probe packet ( net-analyzer/honeyd ) 200401-03 [U] Apache mod_python Denial of Service vulnerability ( dev-python/mod_python ) 200401-04 [U] GAIM 0.75 Remote overflows ( net-im/gaim ) 200403-01 [U] Libxml2 URI Parsing Buffer Overflow Vulnerabilities ( dev-libs/libxml2 ) 200403-02 [U] Linux kernel do_mremap local privilege escalation vulnerability ( sys-kernel/alpha-sources sys-kernel/ck-sources sys-kernel/hppa-sources ... ) 200403-03 [U] Multiple OpenSSL Vulnerabilities ( dev-libs/openssl ) 200402-01 [U] PHP setting leaks from .htaccess files on virtual hosts ( dev-php/mod_php ) 200402-02 [N] XFree86 Font Information File Buffer Overflow ( x11-base/xfree ) 200402-03 [U] Monkeyd Denial of Service vulnerability ( net-www/monkeyd ) 200402-04 [U] Gallery 1.4.1 and below remote exploit vulnerability ( app-misc/gallery ) 200402-05 [U] phpMyAdmin < 2.5.6-rc1: possible attack against export.php ( dev-db/phpmyadmin ) 200402-06 [U] Updated kernel packages fix the AMD64 ptrace vulnerability ( sys-kernel/gentoo-test-sources sys-kernel/gs-sources sys-kernel/gentoo-sources ... ) 200402-07 [U] Clam Antivirus DoS vulnerability ( net-mail/clamav ) 200312-07 [U] Two buffer overflows in lftp ( net-ftp/lftp ) When looking at the legend at the top of the output, we can see that most glsa returned do not apply to the system. That make it more difficult to spot a real "glsa" missing on the system. Expected Results: A more simplified and specific list of applicable glsa like this one: [N] indicates that the system might be affected. 200402-02 [N] XFree86 Font Information File Buffer Overflow ( x11-base/xfree ) Portage 2.0.50-r1 (default-x86-2004.0, gcc-3.3.3, glibc-2.3.3_pre20040207-r0, 2.6.4-gentoo-r1) ================================================================= System uname: 2.6.4-gentoo-r1 i686 Intel(R) Pentium(R) 4 CPU 2.40GHz Gentoo Base System version 1.4.3.13p1 Autoconf: sys-devel/autoconf-2.59-r3 Automake: sys-devel/automake-1.8.2 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CFLAGS="-O2 -march=pentium4 -funroll-loops -fprefetch-loop-arrays -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=pentium4 -funroll-loops -fprefetch-loop-arrays -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache sandbox" GENTOO_MIRRORS="http://distro.ibiblio.org/pub/linux/distributions/gentoo/ ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X X509 acpi alsa amd autofs avi berkdb bidi bluetooth cdr cjk crypt cups dga doc dv dvb dvd encode esd ethereal faad fam fbcon flac flash gif gimpprint glade gmtfull gnome gnomedb gphoto2 gpm gtk gtk2 gtkhtml imagemagick imlib input_devices_synaptics ipv6 java javascript jpeg mad mikmod mldonkeypango mmx motif mozilla mpeg mpeg4 ncurses nls nptl offensive oggvorbis opengl oss pam pcmcia pda pdflib perl pic pie png pnp python quicktime radeon readline sdl slang spell sse ssl svg svga tcltk tcpd tetex threads tiff truetype trusted type1 unicode usb video_cards_radeon videos wmf x86 xinerama xml2 xmms xv zlib"
--list is exactly that: listing GLSAs. What you want is --test. The behavior of --list is useful if you want to see what GLSAs are available, as maybe you read them on another computer than the one you want to update later.
Unfortunately, glsa-check -t all only gives the identifiers for the glsas that are relevant. Seeing a date and a serial number does not easily allow the user to judge if it is something that requires attention. One would like to have a verbose option that does what -t does, but also prints the sumary of each of the glsas.
This would have to change if you want to match comment 1: <snip> -l --list : list all unapplied GLSA </snip> "list all GLSA" would be more appropriate imho. I'd propose some changes to the default output anyway: <snip> Syntax: glsa-check <option> [glsa-id...|all|new] -l --list : list all GLSA -d --dump : show information of all GLSA --print -t --test : test if this system is affected by GLSA -p --pretend : show the necessary commands to apply GLSA -f --fix : try to auto-apply GLSA (experimental) -i --inject : inject GLSA into the checkfile -h --help : show this help message -v --version : some information about this tool glsa-list can contain an arbitrary number of GLSA ids, filenames containing GLSAs or the special identifiers 'all' and 'new' </snip>