[arch-general] Important notice on the Arch Security Team to the whole Arch Linux community.
Allan McRae
allan at archlinux.org
Mon Jun 21 23:16:23 EDT 2010
On 22/06/10 12:07, C Anthony Risinger wrote:
> my point of this ramble if there is one, is that personally, i don't
> want _anyone_ other than upstream to make security decisions regarding
> their software.if Arch started naively backporting stuff based of
> the latest alert from XYZ, i wouldn't be sticking around to long.
> even if an security hole is found i _don't_ want the fix to be
> included by default, unless it came from upstream in the form of a new
> release, which Arch would just pick up as usual.
Then you should probably move along...
> find /var/abs -name *CVE*
/var/abs/extra/libmikmod/libmikmod-CVE-2009-0179.patch
/var/abs/extra/xmms/xmms-1.2.11-CVE-2007-0653.0654.patch
/var/abs/extra/alpine/CVE-2008-5514.patch
/var/abs/extra/libtiff/libtiff-CVE-2009-2285.patch
/var/abs/extra/libtiff/tiff-3.9.0-CVE-2009-2347.patch
/var/abs/extra/id3lib/id3lib-3.8.3-CVE-2007-4460.patch
/var/abs/core/expat/CVE-2009-3720.patch
/var/abs/core/expat/CVE-2009-3560.patch
and these are just the patches named for the security issue they fix.
The point is that the developers around here already patch for security
issues. The only change that I think that a security team will achieve
is to notify me (as a developer) of issues that I have overlooked on the
upstream mailing lists and file a bug report. It is a bonus if the
issue is pre-analyzed for me and all relevant links supplied so I can
assess it quickly myself and release a fixed package if I deem that
being suitable.
Allan
More information about the arch-general
mailing list