[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: conflicts-based solution (was Re: security in testing)



On Thu, May 15, 2003 at 11:13:59AM +0200, Sven Luther wrote:
> On Thu, May 15, 2003 at 09:03:06PM +1000, Anthony Towns wrote:
> > On Thu, May 15, 2003 at 08:09:48AM +0200, Sven Luther wrote:
> > > On Thu, May 15, 2003 at 01:13:19PM +1000, Anthony Towns wrote:
> > > > On Wed, May 14, 2003 at 07:12:15PM -0400, Joey Hess wrote:
> > > > > Take the harden package, or create something similar: a package that
> > > > > conflicts with all versions of packages with known security holes.
> > > > Why not just /fix/ the holes? Is uploading a package with a well known
> > > > patch _really_ that hard?
> > > The fact is, we don't have a security architecture, or even autobuilders
> > > for testing, 
> > Uh, actually, we have both these things. We've had them for almost a year
> > now, although they haven't been used.
> So, the infrastructure is there, but not turned on ?

No, it's sitting there, waiting for someone to use it. After a year's
neglect it might need some metaphorical oil on its hinges and some
dusting, but it really is there. I'm not just saying this for rhetorical
value.

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

  ``Dear Anthony Towns: [...] Congratulations -- 
        you are now certified as a Red Hat Certified Engineer!''

Attachment: pgpcbfMQSj3tR.pgp
Description: PGP signature


Reply to: