Re: php vulnerabilities
On Thu, Dec 23, 2004 at 05:16:39PM +0100, Florian Weimer wrote:
However, most of our packages haven't got test suites, and our
dependency graph is certainly more convoluted than Red Hat's. For
example, Red Hat probably has only a handful packages which depend on
PHP. How do we make sure that the upgrade does not break any of the
PHP-based packages we ship?
Good question. The question that needs answering is whether we are
happier having secure, broken systems than insecure systems that
otherwise work. As soon as you start changing things you risk breaking
something, and we don't really have (IMO) a good line drawn.
My current idea is to borrow an idea from Microsoft: Create a Patch
That might be a possibility--an unstable/testing model for the security