On 7 Oct 2009, Lennart Poettering said: > Security updates is the job of distributions. If we encounter a > security issue I contact the packagers I know and tell them which > patch to backport. The problem here is that you cannot know everyone on earth who pulls down PA and builds it, nor can you know why people might need to do so (so 'use your distributor's copy' won't always fly: some distributions have terribly old PAs, and the user may need features from a newer one). Any system requiring you to notify individuals simply doesn't scale (although it probably *is* a good idea to notify major distros explicitly in any case). So... it might be a good idea simply to have a pulseaudio-security mailing list or even blog or something to which you post the git commit IDs of known security fixes (or whatever it is you tell the distributors: I presume it's something like that). No need to do anything extra: this just puts the stuff you're already telling your known packagers out in the open where anyone can see it rather than requiring them to be on RH's security team :) we can assume that backporting security fixes (which is rarely much more than a cherry-pick anyway) is well within the competence of anyone running PA from upstream: what this is doing is saving them from having to read the entire git commit log just to determine stuff you're already telling some people... One extra Cc: on emails you already send and everyone is happy. (the kernel already does something like this with the -stable tree. udev doesn't do anything like this and I bloody wish it did: it tends to intermingle major rules-breaking config changes and critical security fixes in releases, and keeps security fixes quiet. That's *exactly* the wrong thing to do... but you know that.) (FWIW, running source-from-upstream of things like PA really *is* common in some environments. I know one fairly large academic institution which is running lots of copies of Debian stable with backported PulseAudio and a newer kernel, because they needed the glitch-free code to get tolerable networked sound on their rather slow workstations. And I only learnt this by chance: there are probably a lot of other people doing something similar.)
