[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opinion] CVE-patching is not sufficient for package security patchi

From: Léo Le Bouter
Subject: Re: [opinion] CVE-patching is not sufficient for package security patching
Date: Wed, 17 Mar 2021 07:07:31 +0100
User-agent: Evolution 3.34.2

On Tue, 2021-03-16 at 19:19 -0400, Mark H Weaver wrote:
> That said, I strongly disagree that we should "never backport patches
> ourselves in most cases".  The only way to do that, while addressing
> security flaws, would be to promptly update even our lowest-level
> libraries in response to CVEs, of which there is a steady stream.

Fortunately I think that lots of these core package upstreams also have
good CVE-issuance practices. For the Glib care in particular, I think
they are good, I consider acceptable to backport patches, everyone is
doing it, upstream is cooperative and works towards that same goal.

To everyone else in general, I understand we have to ship a working
system, and I want that too, that's why I said we should "strive" to,
but it doesnt mean we should break things, of course. By that I mean
that we shouldnt leave packages unmaintained without updates for too
long even without CVEs or other security notices issued. At some point,
if a package is of no use, no users show up and it's painful to update,
we should also consider removing the package or archiving it in a third
party channel we could create like "guix-archive", "guix-ugly" or


Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to

[Prev in Thread] Current Thread [Next in Thread]