On 16/03/10 08:42, Magnus Therning wrote:
On 15/03/10 22:34, Xavier Chantry wrote:
On Mon, Mar 15, 2010 at 11:18 PM, Magnus Therning<magnus@therning.org> wrote:
After a quick look at it I don't see much that would apply though. Arch doesn't have releases. Arch follows upstream releases very closes (in some cases even too closely ;-)
So, if there is no need for backporting to a set of packages that has been blessed into a supported release, what is left to do for a dedicated security team?
1) what allan said : A group could monitor security issues and file bugs to get the devs to fix them.
Is there any evidence that this is actually needed?
My impression is that maintainers already are monitoring upstream releases. When they are lagging, there are users who mark things out-of-date. The occasional non-maintainer upload doesn't seem to warrant a dedicated team.
A bump for something being out of date is quite different from a bump for something being out of date and has a security issues. I also know that there are cases where the security issue fixes are not considered critical by upstream and so they are only patched in CVS/SVN/whatever. These are obviously cases where the expliot is not practical at this time, so there is no rush to fix but we probably still should. But again, I would like to see numbers for how much this is actually an issue. Saying that, if the number is above zero (likely), a security team could do some good. Allan