[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why back-porting patches to stable instead of releasing a new package.



Andrew Pimlott wrote:
> On Wed, Jul 23, 2003 at 09:10:01AM -0400, Matt Zimmerman wrote:
> 
>>- Security advisories and the associated packages should fix security
>>  vulnerabilities and nothing else.
> Have you perhaps seen
...
> ?  I think it's a fairly convincing critique of this policy.  I'm
Chances are I never will, because I'm not going to subscribe anytime soon. You
could at least allude to the major points you find that convincing.

> sure there are many security holes in woody that are fixed in the
> latest stable upstream release.[1]  Debian's policy assures that all
> well-publicized bugs get patched, but that doesn't mean that others
> don't slip through the cracks.  A capable cracker targeting a Debian
> stable system has a simple algorithm: browse upstream changelogs for
> closed holes that weren't publicized.
Responsible Upstreams will publicize security holes, especially the easily
exploitable ones. If it's in the Changelog, it would be the Debian package
maintainer's task to find it and see that it gets a security fix.
Also, random updates to new upstream versions will break all kinds of
(rightfully) expected behavior, which would be worse than the occasional
security bug: If you believe otherwise, just type halt and you're safe from any
securtity hole at the expense of minor inconvenience.

> [1] Actually, I know of one about which I am communicating with the
> maintainer.
That's a fairly unconvincing empirical basis.

Cheers

T.

Attachment: pgpJ3TQozrZjT.pgp
Description: PGP signature


Reply to: