[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits (Nybbles?) from the Vancouver release team meeting

Hi, Matthew Palmer wrote:

>> However, I consider an update whose $ARCH binaries are released a week
>> later not to be a problem. 
> I think a lot of users would consider it a problem.  Imagine, would you be
> happy with a highly visible public announcement of every vulnerability
> against your servers, a week before you got the fix?

My observation of high-risk security bugs says that more often than not
there's a release date affixed to the things, which means that the porters
do have time to prepare the fix even on slow architectures.

Besides, on obscure/slow architectures, the standard script kiddie attacks
won't work. An attacker thus needs to spend time with an unfamiliar (and
slow) architecture in order to recreate the attack there. That gives us
additional time.

Don't get me wrong, I'd love to have eternal security support for m68k
(or whatever compiles the kernel most slowly), but if I don't get that
choice, given "late" or "never" I'll happily take the former.

Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  smurf@smurf.noris.de

Reply to: