On 16/03/10 08:42, Magnus Therning wrote:
On 15/03/10 22:34, Xavier Chantry wrote:
On Mon, Mar 15, 2010 at 11:18 PM, Magnus Therning<magnus@xxxxxxxxxxxx> wrote:
After a quick look at it I don't see much that would apply though. Arch
doesn't have releases. Arch follows upstream releases very closes (in some
cases even too closely ;-)
So, if there is no need for backporting to a set of packages that has been
blessed into a supported release, what is left to do for a dedicated security
team?
1) what allan said :
A group could monitor security issues and file bugs to get the devs to
fix them.
Is there any evidence that this is actually needed?
My impression is that maintainers already are monitoring upstream releases.
When they are lagging, there are users who mark things out-of-date. The
occasional non-maintainer upload doesn't seem to warrant a dedicated team.
A bump for something being out of date is quite different from a bump
for something being out of date and has a security issues.
I also know that there are cases where the security issue fixes are not
considered critical by upstream and so they are only patched in
CVS/SVN/whatever. These are obviously cases where the expliot is not
practical at this time, so there is no rush to fix but we probably still
should.
But again, I would like to see numbers for how much this is actually an
issue. Saying that, if the number is above zero (likely), a security
team could do some good.
Allan
