Menu
▾
▴
Re: [Silgraphite-devel] Graphite2 release 1.3.5
|
From: Neil M. <nei...@si...> - 2016-01-21 16:10:16
|
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 21/01/16 01:11 AM, Rene Engelhard wrote:<br>
<blockquote cite="mid:201...@re..."
type="cite">... if it is [an exploitable security bug]
people _should_ fix past versions and this of course includes the
patch one
needs to apply and description of the bug (for the security
announcement).<br>
</blockquote>
<br>
There's some implicit information here that needs to be made
explicit. Both Debian and Ubuntu operate a policy that security
vulnerabilities are _not_ fixed by upgrading to a newer upstream
version. Instead, a minimal patch is applied that just fixes the
vulnerability and nothing else. See
<a class="moz-txt-link-rfc2396E" href="https://wiki.ubuntu.com/StableReleaseUpdates"><https://wiki.ubuntu.com/StableReleaseUpdates></a> for a full
explanation.<br>
<br>
Usually this can be done by cherry-picking the upstream commit(s)
that fix the bug, but sometimes there are conflicts. It greatly
eases the burden on third-party integrators if the upstream
developers can provide those patches, since they're in a much better
position to see how to resolve conflicts, if any.<br>
<br>
Ideally, these patches would be provided, eg by contacting the
Debian security team, _before_ the upstream commits are made
available publicly. The Debian security FAQ says:<br>
<br>
<blockquote type="cite">If you learn about a security problem,
either in one of your own packages or in someone else's please
always contact the security team. If the Debian security team
confirms the vulnerability and other vendors are likely to be
vulnerable as well, they usually contact other vendors as well. If
the vulnerability is not yet public they will try to coordinate
security advisories with the other vendors, so all major
distributions are in sync.</blockquote>
<br>
</body>
</html>
|