[arch-general] Important notice on the Arch Security Team to the whole Arch Linux community.

[Isaac Dupree]

On 06/22/10 19:49, Allan McRae wrote:
> Also, as established earlier in the thread, some of our packages have
> patches for security issues that a a couple of years old because
> upstream has not made a new release. So the whole probably be fixed by
> upstream in less that a week and a point release made is just naive.

On 06/22/10 15:21, C Anthony Risinger wrote:
> i just am having a hard time believing that you
> are not only going to track down holes, but have the competence to
> properly fix them, for all the reasons i've already specified.

part of the situation is, lots of upstreams don't have security 
competence either -- especially volunteer-run projects, but I bet some 
commercial undertakings don't either.  So they don't make point-releases 
as soon as an important security issue is discovered; or they make a 
patch but the patch is incorrect (often established distros have, in 
some ways, a better sense of how to patch a security flaw than a 
individual upstream because the distros see a lot of security flaws -- 
like buffer overruns, etc).

It's clear that spreading more information more quickly about security 
issues sounds productive, (as long as the information is as correct as 
can be, which a volunteer team may be able to have some fair amount of 
competence at, I'm guessing)

-Isaac