[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Security patches release process

From: Ben Reser <ben_at_reser.org>
Date: Thu, 8 Aug 2013 16:00:40 -0700

On Thu, Aug 8, 2013 at 3:13 AM, Stefan Sperling <stsp_at_elego.de> wrote:
> The assertion that packagers only use unmodified tarball is strange to
> me. Packagers routinely patch upstream software to make it work on their
> system or to backport security fixes. But usually the version number of
> the upstream release which the package is based on is used in the package
> name.

Yes the *nix distributions typically do this, sadly they are't the
most reliable packagers. I'll admit I don't pay much attention to
what OpenBSD does but I know some of these distributors haven't done a
very good job of making security updates available.

Picking on Debian here a bit:
https://security-tracker.debian.org/tracker/CVE-2013-1846

CVE-2103-1846 was announced in April, squeeze still doesn't have this fix.

So frankly I think the most reliable packagers are the vendors these
days. And to the best of my knowledge they aren't patching their
packages. Maybe if we released a security issue without a new patch
release accompanying it they would.
Received on 2013-08-09 01:01:18 CEST

This is an archived mail posted to the Subversion Dev mailing list.