[arch-general] Arch Linux security is still poor....

Allan McRae allan at archlinux.org
Mon Mar 15 23:55:49 CET 2010

On 16/03/10 08:42, Magnus Therning wrote:
> On 15/03/10 22:34, Xavier Chantry wrote:
>> On Mon, Mar 15, 2010 at 11:18 PM, Magnus Therning<magnus at therning.org>  wrote:
>>> After a quick look at it I don't see much that would apply though.  Arch
>>> doesn't have releases.  Arch follows upstream releases very closes (in some
>>> cases even too closely ;-)
>>> So, if there is no need for backporting to a set of packages that has been
>>> blessed into a supported release, what is left to do for a dedicated security
>>> team?
>> 1) what allan said :
>> A group could monitor security issues and file bugs to get the devs to
>> fix them.
> Is there any evidence that this is actually needed?
> My impression is that maintainers already are monitoring upstream releases.
> When they are lagging, there are users who mark things out-of-date.  The
> occasional non-maintainer upload doesn't seem to warrant a dedicated team.

A bump for something being out of date is quite different from a bump 
for something being out of date and has a security issues.

I also know that there are cases where the security issue fixes are not 
considered critical by upstream and so they are only patched in 
CVS/SVN/whatever.  These are obviously cases where the expliot is not 
practical at this time, so there is no rush to fix but we probably still 

But again, I would like to see numbers for how much this is actually an 
issue.  Saying that, if the number is above zero (likely), a security 
team could do some good.


More information about the arch-general mailing list