This is the mail archive of the
mailing list for the glibc project.
Re: Requesting CVEs for glibc security issues
- From: "Joseph S. Myers" <joseph at codesourcery dot com>
- To: Siddhesh Poyarekar <siddhesh at redhat dot com>
- Cc: Will Newton <will dot newton at linaro dot org>, Jeff Law <law at redhat dot com>, OndÅej BÃlka <neleai at seznam dot cz>, Florian Weimer <fweimer at redhat dot com>, Konstantin Serebryany <konstantin dot s dot serebryany at gmail dot com>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Mon, 19 May 2014 15:32:36 +0000
- Subject: Re: Requesting CVEs for glibc security issues
- Authentication-results: sourceware.org; auth=none
- References: <CANu=DmjYiCT8NRbtdrXXrJtK_-mGRmsN+KUV50oEzaGY7tqn0Q at mail dot gmail dot com> <20140519092001 dot GG13048 at spoyarek dot pnq dot redhat dot com>
On Mon, 19 May 2014, Siddhesh Poyarekar wrote:
> > It would also be useful to do the backports to stable branches of the
> > security fix, but at the moment it seems every vendor has their own
> > stable branch.
> Yes, nobody is using the point releases right now, so there is no real
> incentive in maintaining those branches. This is true for bug fixes
> in general, not just security fixes.
Given the risk of mistakes in backports, I'd think that having a standard
version of the backport on the glibc release branch, with all the
distribution maintainers reviewing it carefully, would be better than each
distribution having its own, even if the distributions then select only
certain patches from the release branches rather than actually using the
branches or point releases from them.
Joseph S. Myers