[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: php vulnerabilities



On Thu, Dec 23, 2004 at 10:26:34PM +0100, Christian Storch wrote:
> On Do, 23.12.2004, 21:16, Florian Weimer wrote:
> > * Jan Minar:
> >
> >> On Thu, Dec 23, 2004 at 05:16:39PM +0100, Florian Weimer wrote:
> >>> My current idea is to borrow an idea from Microsoft: Create a Patch
> >>> Validation Program.  Under this program, you get access to security
> >>> fixes before the official release, and you can test if your
> >>> applications break.  Of course, Microsoft requires NDAs because they
> >>> actually give you binaries a week or so before the regular patch day.
> >>> Debian wouldn't be able to do this, so patch validation could begin
> >>> only after the issue has been disclosed.  We could use a separate
> >>> public archive, and after some soaking period, the new packages could
> >>> be officially released on security.debian.org.
> >>
> >> I think You are reinventing apt-listbugs ;-)
> >
> > apt-listbugs only helps if someone else has already burned his
> > fingers, *and* has filed a bug report with the proper severity and
> > tags.

You can tell it to install only packages that have been in the archive
no less than some arbitrary period of time (or maybe not and it could be
written; I don't use apt-bug).

> > IOW, the soaking period is required.
> 
> And what is Debian 'unstable' now?

Security updates don't go thru unstable.  There are lots of revised
updates.

Cheers,
-- 
 )^o-o^|    jabber: rdancer@NJS.NetLab.Cz
 | .v  K    e-mail: jjminar FastMail FM
 `  - .'     phone: +44(0)7981 738 696
  \ __/Jan     icq: 345 355 493
 __|o|__Minář  irc: rdancer@IRC.FreeNode.Net

Attachment: pgpR2K1FW8GdP.pgp
Description: PGP signature


Reply to: