On 06/22/10 19:49, Allan McRae wrote:
Also, as established earlier in the thread, some of our packages have patches for security issues that a a couple of years old because upstream has not made a new release. So the whole probably be fixed by upstream in less that a week and a point release made is just naive.
On 06/22/10 15:21, C Anthony Risinger wrote:
i just am having a hard time believing that you are not only going to track down holes, but have the competence to properly fix them, for all the reasons i've already specified.
part of the situation is, lots of upstreams don't have security competence either -- especially volunteer-run projects, but I bet some commercial undertakings don't either. So they don't make point-releases as soon as an important security issue is discovered; or they make a patch but the patch is incorrect (often established distros have, in some ways, a better sense of how to patch a security flaw than a individual upstream because the distros see a lot of security flaws -- like buffer overruns, etc).
It's clear that spreading more information more quickly about security issues sounds productive, (as long as the information is as correct as can be, which a volunteer team may be able to have some fair amount of competence at, I'm guessing)
-Isaac
