in app-portage/gentoolkit-0.2.1 glsa-check has the folowing permissions: -rwxr-xr-x 1 root root 8,9K 25. Jan 03:43 /usr/bin/glsa-check This is a Bad Thing because any unprivileged user can get information very fast about exploitable security holes on the system. Proposed solution: glsa-check should have permissions set to something like this: -rwxr-x--- 1 root portage 8,9K 25. Jan 03:43 /usr/bin/glsa-check
Removing the executable bit from glsa-check in no way prevents normal users from obtaining the same information. User can still copy his/her own copy of glsa-check to the box or simply look at the vdb. glsa-check is also intended to be run from non root cronjob scripts. As the user you have the option to remove the executable bits on your own /var/db/pkg/* but that is not a change we will make to portage or glsa-check. Sorry closing as WONTFIX. Have a good day.