This is the mail archive of the cygwin-apps mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: HEADSUP: Security updates outstanding


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Corinna Vinschen wrote:
> Personally I'm kind of not interested to go this road.  If I learn about
> a problem in an upstream package, I update.  If anybody else want's to
> take over responsibility for security problems, I certainly don't stand
> in the way, of course.

While that seems to work for you, when applied to the entire distro
there are some pitfalls:

1) According to the cygwin-pkg-maint file, there are currently 56
"active" package maintainers.  We can't assume that everyone is as
diligent -- or in the know -- as you are.

2) Even if they would be, most of the time we would still be playing
"catch-up", first updating when the issue is public instead of
coordinating beforehand like the linux distros.

3) We have absolutely no way of handling the case where a maintainer is
away (or MIA) when we need an urgent bump/patch.

Having a security team and a private list would allow us to deal with
all these things responsibly.


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkipyJQACgkQpiWmPGlmQSPwGgCgs78m1gu7SqcTp60/uvh64a6C
k+gAoN5D0+Ro1o4A9RdeBJ/1XXuR5I8v
=RKHP
-----END PGP SIGNATURE-----


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]