Re: Security patches release process

From: Ben Reser <ben_at_reser.org>
Date: Thu, 8 Aug 2013 16:00:40 -0700

On Thu, Aug 8, 2013 at 3:13 AM, Stefan Sperling <stsp_at_elego.de> wrote:
> The assertion that packagers only use unmodified tarball is strange to
> me. Packagers routinely patch upstream software to make it work on their
> system or to backport security fixes. But usually the version number of
> the upstream release which the package is based on is used in the package
> name.

Yes the *nix distributions typically do this, sadly they are't the
most reliable packagers. I'll admit I don't pay much attention to
what OpenBSD does but I know some of these distributors haven't done a
very good job of making security updates available.

Picking on Debian here a bit:
https://security-tracker.debian.org/tracker/CVE-2013-1846

CVE-2103-1846 was announced in April, squeeze still doesn't have this fix.

So frankly I think the most reliable packagers are the vendors these
days. And to the best of my knowledge they aren't patching their
packages. Maybe if we released a security issue without a new patch
release accompanying it they would.
Received on 2013-08-09 01:01:18 CEST

This message: [ Message body ]
Next message: James K. Lowden: "Re: man pages for Subversion"
Previous message: Ivan Zhakov: "Re: [PATCH] speed up svn_repos_authz_check_access"
In reply to: Stefan Sperling: "Re: Security patches release process"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]