This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Requesting CVEs for glibc security issues

On Mon, May 19, 2014 at 03:32:36PM +0000, Joseph S. Myers wrote:
> On Mon, 19 May 2014, Siddhesh Poyarekar wrote:
> > > It would also be useful to do the backports to stable branches of the
> > > security fix, but at the moment it seems every vendor has their own
> > > stable branch.
> > 
> > Yes, nobody is using the point releases right now, so there is no real
> > incentive in maintaining those branches.  This is true for bug fixes
> > in general, not just security fixes.
> Given the risk of mistakes in backports, I'd think that having a standard 
> version of the backport on the glibc release branch, with all the 
> distribution maintainers reviewing it carefully, would be better than each 
> distribution having its own, even if the distributions then select only 
> certain patches from the release branches rather than actually using the 
> branches or point releases from them.

Distributions are usually at different enough release versions and
have enough different backports on top of them already to make such an
intermediate step largely useless.  If a backport is complicated
enough to warrant such an intermediate step then there is a very high
likelihood that most distributions will end up adjusting the patch for
their branches anyway.  For a backport that is not complicated enough,
then it is a redundant extra step that may be appropriately
conservative, but won't have the kind of utility you describe.

In other words, it is a neat sounding idea, but I don't see it being
useful in practice unless distributions actually start using point
releases actively.


Attachment: pgpJOET8NgYLg.pgp
Description: PGP signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]