On Thu, Aug 26, 1999 at 04:56:42PM +0100, Richard Kettlewell wrote:
> Do there now exist arrangements to ensure that Red Hat get to hear
> about Debian's security fixes, and vica versa?
http://www.lwn.net/, http://www.linux.org/security/, and even directly
from the source. It's not hard to hear about them. What's hard is working
out whether they apply, and how to fix them.
> Equally importantly - how many other bugs are fixed only in one
> vendor's code, and still waiting to bite the rest of us? How best to
> chase them down?
The best way, IMO, is to make sure all the distributions work as closely
as possible with the upstream maintainers: you find a security problem,
you get a fix, you upload a fixed package and pass it on to the upstream
maintainer. They release an update, RedHat, Mandrake, SuSE, and whoever
else hears about it and updates to that.
Of course, keeping up with upstream's a lot of work --- both for Debian
because we've all got other things to do, and RedHat and friends because
they've only got so many people to work on problems. And sending useful
patches upstream isn't all that easy either, at times.
And then there's the problem of what to do when certain key components
aren't maintained upstream, or just that the distribution's version is
already incredibly different, or they're so core that there are a dozen
competing versions of them...
Cheers,
aj
--
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. PGP encrypted mail preferred.
``The thing is: trying to be too generic is EVIL. It's stupid, it
results in slower code, and it results in more bugs.''
-- Linus Torvalds
Attachment:
pgpUtnnKb4ABs.pgp
Description: PGP signature