[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why back-porting patches to stable instead of releasing a new package.

On Sat, Aug 16, 2003 at 12:45:14AM -0400, Andrew Pimlott wrote:

> On Wed, Jul 23, 2003 at 09:10:01AM -0400, Matt Zimmerman wrote:
> > - Security advisories and the associated packages should fix security
> >   vulnerabilities and nothing else.
> 
> Have you perhaps seen
> 
>     http://lwn.net/Articles/44117/

"Subscription required"

(in other words, no)

> ?  I think it's a fairly convincing critique of this policy.  I'm sure
> there are many security holes in woody that are fixed in the latest stable
> upstream release.[1]  Debian's policy assures that all well-publicized
> bugs get patched, but that doesn't mean that others don't slip through the
> cracks.

As compared to what policy, exactly?  There exists no policy which can
defend against unknown bugs.  Period.

> A capable cracker targeting a Debian stable system has a simple algorithm:
> browse upstream changelogs for closed holes that weren't publicized.

Show me a distribution where that _doesn't_ apply.  This is the reality of
security.  If you can't afford to audit everything, you rely on others to
own up to their bugs.

> [1] Actually, I know of one about which I am communicating with the
> maintainer.

...but not the security team, apparently.

-- 
 - mdz
Reply to: