* Branko Čibej:
> On the other hand, said major distros have more paid resources on hand
> than this project does, so it would be nice if they'd give a hand when
> the time comes to produce and test such a patch...
I don't think any distribution has many resources at hand when it
comes to security patch engineering. Keep in mind that some of them
(including a major one--no, I don't mean Debian here) perform only
very light integration testing for their security patches.
Obviously, those two-liners which plug format string or buffer
overflow vulnerabilities are not the problem. I'm more concerned with
things that require actual understanding of the code, like fixing ACL
checks. The parts of the Subversion codebase I've seen didn't look
too bad, but without feedback from developers familiar with the code
base, it's sometimes hard to tell whether the patch you came up with
just pampers over one particular instance of an issue, or actually
resolves it.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Oct 12 23:56:38 2005