Re: Why back-porting patches to stable instead of releasing a new package.
On Sat, Aug 16, 2003 at 12:45:14AM -0400, Andrew Pimlott wrote:
> On Wed, Jul 23, 2003 at 09:10:01AM -0400, Matt Zimmerman wrote:
> > - Security advisories and the associated packages should fix security
> > vulnerabilities and nothing else.
>
> Have you perhaps seen
>
> http://lwn.net/Articles/44117/
"Subscription required"
(in other words, no)
> ? I think it's a fairly convincing critique of this policy. I'm sure
> there are many security holes in woody that are fixed in the latest stable
> upstream release.[1] Debian's policy assures that all well-publicized
> bugs get patched, but that doesn't mean that others don't slip through the
> cracks.
As compared to what policy, exactly? There exists no policy which can
defend against unknown bugs. Period.
> A capable cracker targeting a Debian stable system has a simple algorithm:
> browse upstream changelogs for closed holes that weren't publicized.
Show me a distribution where that _doesn't_ apply. This is the reality of
security. If you can't afford to audit everything, you rely on others to
own up to their bugs.
> [1] Actually, I know of one about which I am communicating with the
> maintainer.
...but not the security team, apparently.
--
- mdz
Reply to: