[arch-general] Important notice on the Arch Security Team to the whole Arch Linux community.

Allan McRae allan at archlinux.org
Tue Jun 22 19:49:36 EDT 2010


On 23/06/10 05:21, C Anthony Risinger wrote:
>
> example: SSH 0-day exploit is released.  bang! you crack out your
> interim PKGBUILD and crack a beer because your safe right?  whoops,
> because this is a production machine (from a message a couple hours
> ago):
>
> On Tue, Jun 22, 2010 at 10:23 AM, Sergey Manucharian
> <ingeniware at gmail.com>  wrote:
>> ..........
>> Everything work fine, but I'm doing updates only ones in 2-3 months.
>> ..........
>
> what?? so i have to also upgrade lib XYZ to get this to work?  wait,
> let's just backport to version X... damn! Sandy Squirrel updated a
> month ago, so she's running version Y...
>
> do you see where i'm headed here?  are you going to provide fixes for
> every possible package update that occurred in the last 6 months?
> lets say your crazy and you auto update your production machines...
> now your pulling in a _reactionary_ fix that if appropriate will
> probably be in upstream in less than a week, and they'll have a
> security related point-release to address it properly.

What a load of crap...  Arch developers only support packages that are 
currently in the repo.  Why would the security team do anything else. If 
a person is not prepared to update their system regularly, or at least 
when there is a known security issue in the out-of-date packages they 
are using, then they should be using a different distribution that makes 
stable snapshot releases.

Also, as established earlier in the thread, some of our packages have 
patches for security issues that a a couple of years old because 
upstream has not made a new release.  So the whole probably be fixed by 
upstream in less that a week and a point release made is just naive.

Finally, this is not going to change the way development works around 
here.  We would still be patching the software for the security bugs. It 
will just save the developers more time assessing bug as all the 
necessary information/links will be provided for us in one spot.

Allan


More information about the arch-general mailing list