On Thu, Aug 26, 1999 at 04:56:42PM +0100, Richard Kettlewell wrote: > Do there now exist arrangements to ensure that Red Hat get to hear > about Debian's security fixes, and vica versa? http://www.lwn.net/, http://www.linux.org/security/, and even directly from the source. It's not hard to hear about them. What's hard is working out whether they apply, and how to fix them. > Equally importantly - how many other bugs are fixed only in one > vendor's code, and still waiting to bite the rest of us? How best to > chase them down? The best way, IMO, is to make sure all the distributions work as closely as possible with the upstream maintainers: you find a security problem, you get a fix, you upload a fixed package and pass it on to the upstream maintainer. They release an update, RedHat, Mandrake, SuSE, and whoever else hears about it and updates to that. Of course, keeping up with upstream's a lot of work --- both for Debian because we've all got other things to do, and RedHat and friends because they've only got so many people to work on problems. And sending useful patches upstream isn't all that easy either, at times. And then there's the problem of what to do when certain key components aren't maintained upstream, or just that the distribution's version is already incredibly different, or they're so core that there are a dozen competing versions of them... Cheers, aj -- Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/> I don't speak for anyone save myself. PGP encrypted mail preferred. ``The thing is: trying to be too generic is EVIL. It's stupid, it results in slower code, and it results in more bugs.'' -- Linus Torvalds
Attachment:
pgpUtnnKb4ABs.pgp
Description: PGP signature