On 23/06/10 05:21, C Anthony Risinger wrote:
example: SSH 0-day exploit is released. bang! you crack out your
interim PKGBUILD and crack a beer because your safe right? whoops,
because this is a production machine (from a message a couple hours
ago):
On Tue, Jun 22, 2010 at 10:23 AM, Sergey Manucharian
<ingeniware@xxxxxxxxx> wrote:
..........
Everything work fine, but I'm doing updates only ones in 2-3 months.
..........
what?? so i have to also upgrade lib XYZ to get this to work? wait,
let's just backport to version X... damn! Sandy Squirrel updated a
month ago, so she's running version Y...
do you see where i'm headed here? are you going to provide fixes for
every possible package update that occurred in the last 6 months?
lets say your crazy and you auto update your production machines...
now your pulling in a _reactionary_ fix that if appropriate will
probably be in upstream in less than a week, and they'll have a
security related point-release to address it properly.
What a load of crap... Arch developers only support packages that are
currently in the repo. Why would the security team do anything else. If
a person is not prepared to update their system regularly, or at least
when there is a known security issue in the out-of-date packages they
are using, then they should be using a different distribution that makes
stable snapshot releases.
Also, as established earlier in the thread, some of our packages have
patches for security issues that a a couple of years old because
upstream has not made a new release. So the whole probably be fixed by
upstream in less that a week and a point release made is just naive.
Finally, this is not going to change the way development works around
here. We would still be patching the software for the security bugs. It
will just save the developers more time assessing bug as all the
necessary information/links will be provided for us in one spot.
Allan
