[arch-general] Important notice on the Arch Security Team to the whole Arch Linux community.
C Anthony Risinger
anthony at extof.me
Tue Jun 22 20:39:05 EDT 2010
On Tue, Jun 22, 2010 at 6:49 PM, Allan McRae <allan at archlinux.org> wrote:
> On 23/06/10 05:21, C Anthony Risinger wrote:
>>
>> example: SSH 0-day exploit is released. bang! you crack out your
>> interim PKGBUILD and crack a beer because your safe right? whoops,
>> because this is a production machine (from a message a couple hours
>> ago):
>>
>> On Tue, Jun 22, 2010 at 10:23 AM, Sergey Manucharian
>> <ingeniware at gmail.com> wrote:
>>>
>>> ..........
>>> Everything work fine, but I'm doing updates only ones in 2-3 months.
>>> ..........
>>
>> what?? so i have to also upgrade lib XYZ to get this to work? wait,
>> let's just backport to version X... damn! Sandy Squirrel updated a
>> month ago, so she's running version Y...
>>
>> do you see where i'm headed here? are you going to provide fixes for
>> every possible package update that occurred in the last 6 months?
>> lets say your crazy and you auto update your production machines...
>> now your pulling in a _reactionary_ fix that if appropriate will
>> probably be in upstream in less than a week, and they'll have a
>> security related point-release to address it properly.
>
> What a load of crap... Arch developers only support packages that are
> currently in the repo. Why would the security team do anything else. If a
> person is not prepared to update their system regularly, or at least when
> there is a known security issue in the out-of-date packages they are using,
> then they should be using a different distribution that makes stable
> snapshot releases.
>
> Also, as established earlier in the thread, some of our packages have
> patches for security issues that a a couple of years old because upstream
> has not made a new release. So the whole probably be fixed by upstream in
> less that a week and a point release made is just naive.
>
> Finally, this is not going to change the way development works around here.
> We would still be patching the software for the security bugs. It will just
> save the developers more time assessing bug as all the necessary
> information/links will be provided for us in one spot.
what, did you read that far and give up? dead/non-cooperative/poor
upstreams are not the same as healthy, responsive upstreams. and yes,
they do get fixed pretty quick; i can't imagine your dead upstream or
upstreams that haven't released in years scenario affects too many
applications, what, 1%?... and if it does, then they should either be
removed completely or we should start following appropriate points in
HEAD, because the project is probably obsolete or deprecated, or en
route to such.
i've seen several other external projects trying to address the fact
that Arch moving at breakneck speed, leaving no prisoners, doesn't
work too well for a production machines that can't afford to blindly
upgrade junk or reboot at any moment. if so, then you have poor
change management skills, and probably don't have many clients either.
desktop machines? not important.
in the end, i'm not particularly concerned with how people expend
their energy. i personally think chasing microscopic holes in this or
that is a colossal waste of time when the real security issues
surround the other 99.9%; deployment. there are more pragmatic ways
to safeguard against the known unknown and the unknown unknown. but
alas, i'm bored; to each their own.
C Anthony
More information about the arch-general
mailing list