On Tue, Jun 22, 2010 at 6:49 PM, Allan McRae <allan@archlinux.org> wrote:
On 23/06/10 05:21, C Anthony Risinger wrote:
example: SSH 0-day exploit is released. bang! you crack out your interim PKGBUILD and crack a beer because your safe right? whoops, because this is a production machine (from a message a couple hours ago):
On Tue, Jun 22, 2010 at 10:23 AM, Sergey Manucharian <ingeniware@gmail.com> wrote:
.......... Everything work fine, but I'm doing updates only ones in 2-3 months. ..........
what?? so i have to also upgrade lib XYZ to get this to work? wait, let's just backport to version X... damn! Sandy Squirrel updated a month ago, so she's running version Y...
do you see where i'm headed here? are you going to provide fixes for every possible package update that occurred in the last 6 months? lets say your crazy and you auto update your production machines... now your pulling in a _reactionary_ fix that if appropriate will probably be in upstream in less than a week, and they'll have a security related point-release to address it properly.
What a load of crap... Arch developers only support packages that are currently in the repo. Why would the security team do anything else. If a person is not prepared to update their system regularly, or at least when there is a known security issue in the out-of-date packages they are using, then they should be using a different distribution that makes stable snapshot releases.
Also, as established earlier in the thread, some of our packages have patches for security issues that a a couple of years old because upstream has not made a new release. So the whole probably be fixed by upstream in less that a week and a point release made is just naive.
Finally, this is not going to change the way development works around here. We would still be patching the software for the security bugs. It will just save the developers more time assessing bug as all the necessary information/links will be provided for us in one spot.
what, did you read that far and give up? dead/non-cooperative/poor upstreams are not the same as healthy, responsive upstreams. and yes, they do get fixed pretty quick; i can't imagine your dead upstream or upstreams that haven't released in years scenario affects too many applications, what, 1%?... and if it does, then they should either be removed completely or we should start following appropriate points in HEAD, because the project is probably obsolete or deprecated, or en route to such. i've seen several other external projects trying to address the fact that Arch moving at breakneck speed, leaving no prisoners, doesn't work too well for a production machines that can't afford to blindly upgrade junk or reboot at any moment. if so, then you have poor change management skills, and probably don't have many clients either. desktop machines? not important. in the end, i'm not particularly concerned with how people expend their energy. i personally think chasing microscopic holes in this or that is a colossal waste of time when the real security issues surround the other 99.9%; deployment. there are more pragmatic ways to safeguard against the known unknown and the unknown unknown. but alas, i'm bored; to each their own. C Anthony