Re: Maintaining kernel source in sarge
On Sun, May 25, 2003 at 04:09:51PM +1000, Russell Coker wrote:
> On Sun, 25 May 2003 15:11, Matt Zimmerman wrote:
> > This approach does not scale. I cannot personally review the diffs for
> > every upstream release of all the software in Debian, nor can any other
> > individual or even a small group.
> It does not scale to all software in Debian. But most software does not
> need much in the way of security auditing.
Any software that a user interacts with is trusted to some extent, and could
contain significant vulnerabilities. We rely on external sources for this
information, such as upstream authors, individual security researchers and
> A small group of people could review all kernel patches that make it into
> the official tree. Of course getting even a small group of people who
> have the skill to do such work properly and the time to do it continually
> may not be easy.
Indeed, it would be even more difficult to find people who would be willing
to waste time searching for things that others discarded, apparently knowing
that they were important. I certainly don't want that job.