On Thu, Oct 27, 2011 at 1:28 AM, Ian Jackson
> The difficulty is that if we end up with ten different versions of
> vulnerability we need to somehow backport the patch to each of those
> ten versions.
> And here "we" means the security team, not the people who uploaded the
> ten versions in the first place.
> So this is rather unpalatable.
What's the alternative?
It seems that we only have two choices:
(what we have been doing until now, which results in some packages not
manifest only in some situations in runtime). This is essentially what
we do with C, C++, etc libraries, btw: the whole Debian is built
against the same zlib, same glibc, same libpng, etc
- Each package works with the upstream-bundled version of the
security fixes). The advantage being we are sure the application works
as expected because it has been tested by upstream.
I'm not sure what's worse: a malfunctioning application or an insecure one.
Zygmunt's proposal of adding unit testing, etc to upstream is a noble
one but highly unrealistic, IMHO.
Pau Garcia i Quiles
(Due to my workload, I may need 10 days to answer)