[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: php vulnerabilities

On Di, 28.12.2004, 02:24, Michael Stone wrote:
> On Thu, Dec 23, 2004 at 05:16:39PM +0100, Florian Weimer wrote:
>>However, most of our packages haven't got test suites, and our
>>dependency graph is certainly more convoluted than Red Hat's.  For
>>example, Red Hat probably has only a handful packages which depend on
>>PHP.  How do we make sure that the upgrade does not break any of the
>>PHP-based packages we ship?
>
> Good question. The question that needs answering is whether we are
> happier having secure, broken systems than insecure systems that
> otherwise work. As soon as you start changing things you risk breaking
> something, and we don't really have (IMO) a good line drawn.
>
>>My current idea is to borrow an idea from Microsoft: Create a Patch
>>Validation Program.
>
> That might be a possibility--an unstable/testing model for the security
> archive.

I think we would need a new distribution e.g. 'sec-stable' for testing
new security patches. So someone would be able to choose between
'more stable but less secure'
or
'less stable but more secure'.

Christian
Reply to: