[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [security] What's being done?

Daniel Stone wrote:
> Considering that an upload hasn't been made to rectify this root hole,
> why hasn't something else been done about it - regular or security NMU?
> One would think that this is definitely serious.
> Oh and BTW, Slackware released an update today. Without trolling, I can
> say that I was honestly surprised to note that Debian, a distro with
> ~850 developers and a dedicated security team, is behind Slackware on
> security issues.

Glibc always is a difficult problem.

 1. It takes ages to build packages and they need to be build on
    currently six architectures (11 when woody is out).

 2. Glibc is the most important package.  If something in the security
    update causes glibc to fail, imagine what will happen to all those
    systems that just have updated their glibc due to a security
    upload.  Even if they should manage to get their system working
    again, it will take use *days* to provide fixed packages.

 3. Glibc is a beast that not many people want to deal with.  All
    glibc problems I know of have been dealt by the Security Team
    *together* with the glibc maintainer.  Both parties are busy
    people as well.

 4. Supporting one or two architectures is way easier than supporting
    six architectures.

 5. Because of that, we have to be extraordinary careful.  This takes

Sorry for the inconvenience.  We are doing what we can.  Providing
patches and test reports are always welcome, but advisories for the
kernel and glibc will probably continue to take more time than usual.



It's practically impossible to look at a penguin and feel angry.

Please always Cc to me when replying to me on the lists.

Reply to: