Re: [opinion] CVE-patching is not sufficient for package security patching

[Léo Le Bouter]

On Tue, 2021-03-16 at 19:19 -0400, Mark H Weaver wrote:
> That said, I strongly disagree that we should "never backport patches
> ourselves in most cases".  The only way to do that, while addressing
> security flaws, would be to promptly update even our lowest-level
> libraries in response to CVEs, of which there is a steady stream.

Fortunately I think that lots of these core package upstreams also have
good CVE-issuance practices. For the Glib care in particular, I think
they are good, I consider acceptable to backport patches, everyone is
doing it, upstream is cooperative and works towards that same goal.

To everyone else in general, I understand we have to ship a working
system, and I want that too, that's why I said we should "strive" to,
but it doesnt mean we should break things, of course. By that I mean
that we shouldnt leave packages unmaintained without updates for too
long even without CVEs or other security notices issued. At some point,
if a package is of no use, no users show up and it's painful to update,
we should also consider removing the package or archiving it in a third
party channel we could create like "guix-archive", "guix-ugly" or
"guix-love-me-please".

Léo

signature.asc
Description: This is a digitally signed message part