Re: php vulnerabilities
* Michael Stone:
> On Wed, Dec 22, 2004 at 03:03:29PM +0100, Florian Weimer wrote:
>>My best guess is that things are fine until Debian is the last guy
>>left in town, and no one else (upstream, other vendors) support the
>>version in stable. Is this correct?
> Eh, and the other point I forgot to include is that other distributions
> aren't shy about just releasing a new version rather than backporting if
> the fix is non-trivial.
I think such a policy makes sense. Actually, I don't think we have
much choice. 8-/
However, most of our packages haven't got test suites, and our
dependency graph is certainly more convoluted than Red Hat's. For
example, Red Hat probably has only a handful packages which depend on
PHP. How do we make sure that the upgrade does not break any of the
PHP-based packages we ship?
My current idea is to borrow an idea from Microsoft: Create a Patch
Validation Program. Under this program, you get access to security
fixes before the official release, and you can test if your
applications break. Of course, Microsoft requires NDAs because they
actually give you binaries a week or so before the regular patch day.
Debian wouldn't be able to do this, so patch validation could begin
only after the issue has been disclosed. We could use a separate
public archive, and after some soaking period, the new packages could
be officially released on security.debian.org.