[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Lua [in]security and the distributors
- From: Jonas Thiem <jonasthiem@...>
- Date: Thu, 28 Aug 2014 04:56:08 +0200
However, that doesn't change the fact that 3 major distributions
completely forgot that they need to check for those patches, and then
also seemed unaware there was a security exploit among them (relevant to
script-level sandboxing).
Therefore I can only reiterate my suggestion to improve the website with
an obvious notice on the download site, and possibly prominent security
announcements somewhere about actual discovered exploits. Distributors
can patch, but if they aren't aware when something notable to be patched
comes around (security issue) it's kind of a useless fact.
On 08/26/2014 11:18 PM, Jay Carlson wrote:
> On Aug 26, 2014, at 2:57 PM, Roberto Ierusalimschy <roberto@inf.puc-rio.br> wrote:
>
>> Would our sin be smaller if our single crash bug had no
>> known patch?
>
> No. We especially love localized patches. They aren't sins, they're acts of benevolence. We want to use those patches. Because this patch doesn't really have a name (nor does 5.2.3+patch have a name) fewer people knew about this good work.
>
> Full releases are a pain, and I don't want you to avoid disclosing experimental or one-off patches because it would imply a full release.
>
> Perhaps after a week or so on the mailing list, you could say: "OK, let's give our patch from 2014-04-01 the name '5.2.3 post1'." I think search engines would index that, so anybody could find your mailing list message. Obviously, 5.2.4 would later roll up those patches.
>
> But having patches at all is better than keeping clean naming and no patches.
>
> With software at this level of stability, it is sometimes difficult to do anything with names. In retrospect, I made a mess once from not wanting to name things. I had patched "1.8.0p6" to "1.8.0r1", "1.8.0r2", ending up at "1.8.1". Then I stopped naming things. Later, the next maintainer had to skip to "1.8.3" because there were so many third-party patchsets prematurely naming themselves "1.8.2". Mea culpa.
>
> In the age of git, it's not such a big deal for a third party to play "patch secretary". De facto, a Debian maintainer has always been the secretary of last resort.
>
> Jay
>
- References:
- Lua [in]security and the distributors, Jonas Thiem
- Re: Lua [in]security and the distributors, Enrico Tassi
- Re: Lua [in]security and the distributors, Jonas Thiem
- Re: Lua [in]security and the distributors, Pierre Chapuis
- Re: Lua [in]security and the distributors, Jonas Thiem
- Re: Lua [in]security and the distributors, David Heiko Kolf
- Re: Lua [in]security and the distributors, Jonas Thiem
- Re: Lua [in]security and the distributors, Dirk Laurie
- Re: Lua [in]security and the distributors, Roberto Ierusalimschy
- Re: Lua [in]security and the distributors, Jay Carlson