Hi Ken, On Wed, Jul 09, at 01:10 Ken Moffat wrote: > On Wed, Jun 25, 2008 at 01:58:22PM +0300, Ag. D. Hatzimanikas wrote: > > > > I've gathered this information about vulnerable packages (could be more). > > > > > > PACKAGE | LINK| BOOK VERSION | RESOLUTION| > > ____________________________________________ > > Ruby | [1] | AFFECTED | Upgrade | > > Freetype | [2] | AFFECTED | Upgrade | > > Libvorbis | [3] | AFFECTED | [9] | > > Openssl | [4] | AFFECTED | Upgrade | > > Imlib | [5] | AFFECTED | [10] | > > Libxslt | [6] | AFFECTED | Upgrade | > > Mplayer | [7] | AFFECTED | Upgrade | > > Libpng | [8] | AFFECTED | Upgrade | > > ============================================ > >
[...] Thanks for fixing these vulnerabilities, as security has to be (ideally) one of our main concerns. Unfortunately our security mailing list is inactive and I don't think will ever recover under the current circumstances. With that in mind, I believe we have to warn and recommend our users to follow one of the security mailing lists from other channels. Fortunately there are (at least) two running from some popular and serious distributions that can be served for that purpose, these are: the one from Gentoo (see the link that I've already posted in the first mail on that thread), and the one that is running by Debian[1]. In my opinion we have to put some of that information in a visible place, either in the front web page or (why not) in the Book. On another but similar matter. Although quite wisely for my opinion, (ken) you've fixed the Book with your recent commits, unfortunately this means another delay in the release, since some of the updated packages are basic dependencies in a lots of important packages. I think we can all understand that we can't trust a blindly update and release too soon, without testing for a considerable time the new updates. The question is: Who is gonna test it? Because I believe most of the editors (myself included), doesn't have a 6.3 LFS release around anymore - it's been almost a year (sorry). Is it maybe a solution to postpone the release indefinitely or cancel entirely the release? Why not? Gentoo did it last year. Is it maybe a solution to put a release manager to get this out? I really don't want to blame anyone (really, we're all volunteers), and especially I don't blame Randy who everybody knows the amount of his contributions to the project, but he looks that he is busy as we are all busy (tough times, oil etc ...). In any case, we've to also update the news page, because there is an announcement for a release in 25 of May, with another one (announcement) where we can explain bravely that we can't keep our promises and give an explanation. There is no big deal. I've seen it all the time in the open sources projects and in a quite huge projects with maaaany developers. you want names? xorg/kde/debian/gentoo and others. And we have a good reason. There are a ton of new discovered vulnerabilities. Just look at the two links I posted. And we haven't the luxury to have some hundreds of developers like the two aforementioned distributions. In a summary, I am just against the false expectations, thats all. A, and another thing. Maybe all these wouldn't be an issue at all, if we've had released more regularly using point releases, like: 6.3, 6.3.1, ... 1. http://www.debian.org/security/ -- http://wiki.linuxfromscratch.org/blfs/wiki/Hacking -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
