Re: [security] What's being done?
Daniel Stone wrote:
> Considering that an upload hasn't been made to rectify this root hole,
> why hasn't something else been done about it - regular or security NMU?
> One would think that this is definitely serious.
>
> Oh and BTW, Slackware released an update today. Without trolling, I can
> say that I was honestly surprised to note that Debian, a distro with
> ~850 developers and a dedicated security team, is behind Slackware on
> security issues.
Glibc always is a difficult problem.
1. It takes ages to build packages and they need to be build on
currently six architectures (11 when woody is out).
2. Glibc is the most important package. If something in the security
update causes glibc to fail, imagine what will happen to all those
systems that just have updated their glibc due to a security
upload. Even if they should manage to get their system working
again, it will take use *days* to provide fixed packages.
3. Glibc is a beast that not many people want to deal with. All
glibc problems I know of have been dealt by the Security Team
*together* with the glibc maintainer. Both parties are busy
people as well.
4. Supporting one or two architectures is way easier than supporting
six architectures.
5. Because of that, we have to be extraordinary careful. This takes
time.
Sorry for the inconvenience. We are doing what we can. Providing
patches and test reports are always welcome, but advisories for the
kernel and glibc will probably continue to take more time than usual.
Regards,
Joey
--
It's practically impossible to look at a penguin and feel angry.
Please always Cc to me when replying to me on the lists.
Reply to: