On 23/06/10 05:21, C Anthony Risinger wrote:
example: SSH 0-day exploit is released. bang! you crack out your interim PKGBUILD and crack a beer because your safe right? whoops, because this is a production machine (from a message a couple hours ago):
On Tue, Jun 22, 2010 at 10:23 AM, Sergey Manucharian <ingeniware@gmail.com> wrote:
.......... Everything work fine, but I'm doing updates only ones in 2-3 months. ..........
what?? so i have to also upgrade lib XYZ to get this to work? wait, let's just backport to version X... damn! Sandy Squirrel updated a month ago, so she's running version Y...
do you see where i'm headed here? are you going to provide fixes for every possible package update that occurred in the last 6 months? lets say your crazy and you auto update your production machines... now your pulling in a _reactionary_ fix that if appropriate will probably be in upstream in less than a week, and they'll have a security related point-release to address it properly.
What a load of crap... Arch developers only support packages that are currently in the repo. Why would the security team do anything else. If a person is not prepared to update their system regularly, or at least when there is a known security issue in the out-of-date packages they are using, then they should be using a different distribution that makes stable snapshot releases. Also, as established earlier in the thread, some of our packages have patches for security issues that a a couple of years old because upstream has not made a new release. So the whole probably be fixed by upstream in less that a week and a point release made is just naive. Finally, this is not going to change the way development works around here. We would still be patching the software for the security bugs. It will just save the developers more time assessing bug as all the necessary information/links will be provided for us in one spot. Allan