[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [opinion] CVE-patching is not sufficient for package security patchi
From: |
Léo Le Bouter |
Subject: |
Re: [opinion] CVE-patching is not sufficient for package security patching |
Date: |
Wed, 17 Mar 2021 07:07:31 +0100 |
User-agent: |
Evolution 3.34.2 |
On Tue, 2021-03-16 at 19:19 -0400, Mark H Weaver wrote:
> That said, I strongly disagree that we should "never backport patches
> ourselves in most cases". The only way to do that, while addressing
> security flaws, would be to promptly update even our lowest-level
> libraries in response to CVEs, of which there is a steady stream.
Fortunately I think that lots of these core package upstreams also have
good CVE-issuance practices. For the Glib care in particular, I think
they are good, I consider acceptable to backport patches, everyone is
doing it, upstream is cooperative and works towards that same goal.
To everyone else in general, I understand we have to ship a working
system, and I want that too, that's why I said we should "strive" to,
but it doesnt mean we should break things, of course. By that I mean
that we shouldnt leave packages unmaintained without updates for too
long even without CVEs or other security notices issued. At some point,
if a package is of no use, no users show up and it's painful to update,
we should also consider removing the package or archiving it in a third
party channel we could create like "guix-archive", "guix-ugly" or
"guix-love-me-please".
Léo
signature.asc
Description: This is a digitally signed message part
- [opinion] CVE-patching is not sufficient for package security patching, Léo Le Bouter, 2021/03/16
- Re: [opinion] CVE-patching is not sufficient for package security patching, Jonathan Brielmaier, 2021/03/16
- Re: [opinion] CVE-patching is not sufficient for package security patching, Leo Famulari, 2021/03/16
- Re: [opinion] CVE-patching is not sufficient for package security patching, Mark H Weaver, 2021/03/16
- Re: [opinion] CVE-patching is not sufficient for package security patching, Leo Famulari, 2021/03/16
- Re: [opinion] CVE-patching is not sufficient for package security patching,
Léo Le Bouter <=
- Re: [opinion] CVE-patching is not sufficient for package security patching, Léo Le Bouter, 2021/03/17
- Re: [opinion] CVE-patching is not sufficient for package security patching, Ludovic Courtès, 2021/03/20
- Re: [opinion] CVE-patching is not sufficient for package security patching, Leo Famulari, 2021/03/23
- Re: [opinion] CVE-patching is not sufficient for package security patching, Ricardo Wurmus, 2021/03/23
- Re: [opinion] CVE-patching is not sufficient for package security patching, Leo Famulari, 2021/03/24
- Re: [opinion] CVE-patching is not sufficient for package security patching, Vincent Legoll, 2021/03/24
- Re: [opinion] CVE-patching is not sufficient for package security patching, Léo Le Bouter, 2021/03/24