[arch-general] Arch Linux security is still poor....
Allan McRae
allan at archlinux.org
Mon Mar 15 23:55:49 CET 2010
On 16/03/10 08:42, Magnus Therning wrote:
> On 15/03/10 22:34, Xavier Chantry wrote:
>> On Mon, Mar 15, 2010 at 11:18 PM, Magnus Therning<magnus at therning.org> wrote:
>>> After a quick look at it I don't see much that would apply though. Arch
>>> doesn't have releases. Arch follows upstream releases very closes (in some
>>> cases even too closely ;-)
>>>
>>> So, if there is no need for backporting to a set of packages that has been
>>> blessed into a supported release, what is left to do for a dedicated security
>>> team?
>>>
>>
>> 1) what allan said :
>> A group could monitor security issues and file bugs to get the devs to
>> fix them.
>
> Is there any evidence that this is actually needed?
>
> My impression is that maintainers already are monitoring upstream releases.
> When they are lagging, there are users who mark things out-of-date. The
> occasional non-maintainer upload doesn't seem to warrant a dedicated team.
A bump for something being out of date is quite different from a bump
for something being out of date and has a security issues.
I also know that there are cases where the security issue fixes are not
considered critical by upstream and so they are only patched in
CVS/SVN/whatever. These are obviously cases where the expliot is not
practical at this time, so there is no rush to fix but we probably still
should.
But again, I would like to see numbers for how much this is actually an
issue. Saying that, if the number is above zero (likely), a security
team could do some good.
Allan
More information about the arch-general
mailing list