This is the mail archive of the
mailing list for the Cygwin project.
Re: HEADSUP: Security updates outstanding
-----BEGIN PGP SIGNED MESSAGE-----
Corinna Vinschen wrote:
> Personally I'm kind of not interested to go this road. If I learn about
> a problem in an upstream package, I update. If anybody else want's to
> take over responsibility for security problems, I certainly don't stand
> in the way, of course.
While that seems to work for you, when applied to the entire distro
there are some pitfalls:
1) According to the cygwin-pkg-maint file, there are currently 56
"active" package maintainers. We can't assume that everyone is as
diligent -- or in the know -- as you are.
2) Even if they would be, most of the time we would still be playing
"catch-up", first updating when the issue is public instead of
coordinating beforehand like the linux distros.
3) We have absolutely no way of handling the case where a maintainer is
away (or MIA) when we need an urgent bump/patch.
Having a security team and a private list would allow us to deal with
all these things responsibly.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----