Security Response Team / EOL

Josh Bressers bressers at redhat.com
Sun Apr 30 12:56:42 UTC 2006


> 
> 3. On the topic of backporting security fixes, I think this is a bit of 
> a red herring. Some have suggested NO new package versions, only 
> backported fixes. This doesn't really make a lot of sense: what if 
> upstream releases a new version that contains just the security fixes? 
> Or the security fixes plus tiny bugfixes too? This is pretty common and 
> artificially forcing someone to diff package version N and N+1, then 
> apply the patch to version N but call it version N release++ makes no 
> sense. Now, obviously this leaves it down to the maintainer: if we are 
> leaving it open that they can upgrade packages as they see fit for 
> "security" reasons, there's nothing stopping them upgrading to some big 
> new version. But then that's the case with FE in general: a lot of it is 
> down to trust in the maintainers not to do things that are completely 
> out-of-line with what the Project as a whole is trying to do.
> 

Now that things have calmed down a little bit I want to comment on this
topic.

There is no way you can create a policy that says ALL security fixes must
be backported.  It doesn't work, especially with groups of volunteers.

There are other distributions that have used this policy in the past.  The
result ends up being if the fix is bigger than a breadbox, it just never
gets fixed.  The deciding factor should be which one is less invasive, and
that decision should be up to the packagers and the security response team.
There are times it's easier to apply a patch, there are times that one must
upgrade.

-- 
    JB




More information about the fedora-extras-list mailing list