Re: php vulnerabilities
On Di, 28.12.2004, 02:24, Michael Stone wrote:
> On Thu, Dec 23, 2004 at 05:16:39PM +0100, Florian Weimer wrote:
>>However, most of our packages haven't got test suites, and our
>>dependency graph is certainly more convoluted than Red Hat's. For
>>example, Red Hat probably has only a handful packages which depend on
>>PHP. How do we make sure that the upgrade does not break any of the
>>PHP-based packages we ship?
> Good question. The question that needs answering is whether we are
> happier having secure, broken systems than insecure systems that
> otherwise work. As soon as you start changing things you risk breaking
> something, and we don't really have (IMO) a good line drawn.
>>My current idea is to borrow an idea from Microsoft: Create a Patch
> That might be a possibility--an unstable/testing model for the security
I think we would need a new distribution e.g. 'sec-stable' for testing
new security patches. So someone would be able to choose between
'more stable but less secure'
'less stable but more secure'.