Just comments to Joseph in here, the rest is in another mail. Previously Joseph Carter wrote: > This shows their development strategy is build it first and fast, then > secure it. This is bad and I can't safely rely on that sort of > development to be secure. Our big advantage is that our userbase is seems more educated and/or vocal in this respect. Most of the times we get our security alerts from others (bugtraq, bugreports, etc.). Also since a lot of people use our unstable tree these problems tend to get fixed before a release is made. But we still have our problems and fiascos in this respect (think netenv and fte). So far we have caught the really big ones before a release, but since Debian continues to grow and the Security Team can't audit each package this can change in the future. > In an open security model, the best way to get a problem fixed is to make > the problem well known. I have never seen RH keeping something secret. In fact as far as I know all security problems are fixed in an open way, and the different Linux vendors share security information and discuss possible problems quite frequently. > Obviously, I wish they would adopt a more open development model which has > the system as secure as it can be throughout their development. They are doing that now by making frequent snapshot releases available, something like our unstable tree. > > How can we work better with them? [.. snip snip ..] > I also believe we could and should work with Redhat with big projects > such as a sane installation and configuration for X. So far it seems all distributions stick to their own installation procedures and very little cross-fertilizing is being done. Funnily enough I heard Erik Troan say during SANE that RH is going to work on their own configuration management system, and I've mailed him a while ago to see if we can work together on aspects of this (I've yet to hear anything from him). That might be a nice testcase to see if we can work together on other projects in the future. Please note that we have to be very carefull in common projects not to loose sight of our own needs: reducing work is fine, but we should not end up with a result that is less then optimal. Wichert. -- ============================================================================== This combination of bytes forms a message written to you by Wichert Akkerman. E-Mail: wakkerma@cs.leidenuniv.nl WWW: http://www.wi.leidenuniv.nl/~wichert/
Attachment:
pgp4YmzVHAFvr.pgp
Description: PGP signature