Re: Mitigating the problem of limited security support

To: debian-devel@lists.debian.org
Cc: Jeremy Bicha <jbicha@ubuntu.com>, team@security.debian.org, Moritz Mühlenhoff <jmm@inutil.org>
Subject: Re: Mitigating the problem of limited security support
From: Alberto Garcia <berto@igalia.com>
Date: Mon, 29 May 2017 11:24:47 +0200
Message-id: <[🔎] 20170529092447.GA24544@igalia.com>
Mail-followup-to: debian-devel@lists.debian.org, Jeremy Bicha <jbicha@ubuntu.com>, team@security.debian.org, Moritz Mühlenhoff <jmm@inutil.org>
In-reply-to: <[🔎] CAAajCMY_G3ACYdkyGGJA85KEjKKBBNtc_c5HpGZUQJ_wiPaUjQ@mail.gmail.com>
References: <[🔎] 20170521134336.v62dww4cnmyflrbb@localhost> <[🔎] CAAajCMYN97WO5Fd=sp=8k2u-j9i+cPDeKZZTVUXkoa-oAqTHQA@mail.gmail.com> <[🔎] slrnoijt3o.pqv.jmm@inutil.org> <[🔎] 9b6e2d48bc54a451865ef01808074bfb@igalia.com> <[🔎] CAAajCMY_G3ACYdkyGGJA85KEjKKBBNtc_c5HpGZUQJ_wiPaUjQ@mail.gmail.com>

On Sun, May 28, 2017 at 09:32:23PM -0400, Jeremy Bicha wrote:
> > The good news is that the first kind of problems are detected and
> > fixed immediately, so waiting a couple of weeks before uploading
> > the releases to debian-security could be an option (is that what
> > Ubuntu does?).
> 
> For the past 9 months, the development version of Ubuntu tests the
> beta versions of the new major webkit2gtk release (for instance
> Zesty tested the 2.15.90 releases). This has been useful in catching
> regressions before they ever hit a stable webkit2gtk release.
> 
> If a webkit2gtk release fixes publicized CVEs, the release is now
> pushed as a security update into Ubuntu Stable Releases fairly
> quickly.

The problem is that point releases with fixes for CVEs can also
introduce regressions (#855103, introduced in 2.14.4). That one was
fixed quickly, though, but that's why I was asking.

Berto

Reply to:

Follow-Ups:
- Re: Mitigating the problem of limited security support
  - From: Moritz Mühlenhoff <jmm@inutil.org>

References:
- Mitigating the problem of limited security support
  - From: Adrian Bunk <bunk@debian.org>
- Re: Mitigating the problem of limited security support
  - From: Jeremy Bicha <jbicha@ubuntu.com>
- Re: Mitigating the problem of limited security support
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Mitigating the problem of limited security support
  - From: Alberto Garcia <berto@igalia.com>
- Re: Mitigating the problem of limited security support
  - From: Jeremy Bicha <jbicha@ubuntu.com>

Prev by Date: Re: Bug#863605: ITP: python-pyserial -- serial port access library in Python
Next by Date: Bug#863617: ITP: ayatana-indicator-application -- Ayatana Application Indicators
Previous by thread: Re: Mitigating the problem of limited security support
Next by thread: Re: Mitigating the problem of limited security support
Index(es):
- Date
- Thread