Re: bitcoind: 0.3.24~dfsg-1~bpo60+1 policy on backports?
On Sunday, July 22, 2012 10:27:21 PM Mike Mestnik wrote:
> It seams as though packaging this may have been premature as the
> software is still in development and Debian would continually have an
> outdated version.
Beginning with 0.4, I have been maintaining stable branches with only
bugfixes. Currently, that is 0.4.x, 0.5.x, 0.6.0.x, and 0.6.x.
If Debian were using one of these, staying secure would be simple.
FWIW, 0.3.24 is very close to 0.4.x.
The only major addition to 0.4.x was wallet encryption/security.
> What say us about providing security support? It seams that some of the
> fixes needed are being kept a secret, though I'm not sure if our source
> packages would get the kind of attention that at this point would be
> undesirable... Who reads debian/patch files anyway, right?
The fixes themselves are part of the public git, but information on which
commits fix the major security vulnerabilities (at least, the recent ones that
are easily exploited) are delayed (along with the details on the
vulnerability) until a significant portion of the network has upgraded to
secure versions. Currently, CVE-2012-2459 and CVE-2012-3789 are non-disclosed.
All of these are of course included in the stable branches also.