From: "Yaakov (Cygwin Ports)" <yselkowitz@users.sourceforge.net>
To: cygwin-apps@cygwin.com
Subject: Re: HEADSUP: Security updates outstanding
Date: Mon, 18 Aug 2008 19:09:00 -0000 [thread overview]
Message-ID: <48A9C894.7000106@users.sourceforge.net> (raw)
In-Reply-To: <20080818132734.GJ21040@calimero.vinschen.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Corinna Vinschen wrote:
> Personally I'm kind of not interested to go this road. If I learn about
> a problem in an upstream package, I update. If anybody else want's to
> take over responsibility for security problems, I certainly don't stand
> in the way, of course.
While that seems to work for you, when applied to the entire distro
there are some pitfalls:
1) According to the cygwin-pkg-maint file, there are currently 56
"active" package maintainers. We can't assume that everyone is as
diligent -- or in the know -- as you are.
2) Even if they would be, most of the time we would still be playing
"catch-up", first updating when the issue is public instead of
coordinating beforehand like the linux distros.
3) We have absolutely no way of handling the case where a maintainer is
away (or MIA) when we need an urgent bump/patch.
Having a security team and a private list would allow us to deal with
all these things responsibly.
Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkipyJQACgkQpiWmPGlmQSPwGgCgs78m1gu7SqcTp60/uvh64a6C
k+gAoN5D0+Ro1o4A9RdeBJ/1XXuR5I8v
=RKHP
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2008-08-18 19:09 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-18 1:01 Yaakov (Cygwin Ports)
2008-08-18 1:09 ` Christopher Faylor
2008-08-18 2:42 ` Yaakov (Cygwin Ports)
2008-08-18 13:10 ` Christopher Faylor
2008-08-18 13:26 ` Corinna Vinschen
2008-08-18 19:09 ` Yaakov (Cygwin Ports) [this message]
2008-08-19 9:56 ` Corinna Vinschen
2008-08-18 3:46 ` David Rothenberger
2008-08-18 6:47 ` Reini Urban
2008-08-18 6:59 ` Reini Urban
2008-08-20 11:53 ` RFU: mercurial, pngcrush, python-paramiko (was: Re: HEADSUP: Security updates outstanding) Jari Aalto
2008-08-20 12:08 ` Corinna Vinschen
2008-08-20 12:35 ` RFU: mercurial, pngcrush, python-paramiko Jari Aalto
2008-08-20 13:07 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48A9C894.7000106@users.sourceforge.net \
--to=yselkowitz@users.sourceforge.net \
--cc=cygwin-apps@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).