On Thu, Jun 29, 2017 at 12:48:22PM +0800, Alex Vong wrote: > Leo Famulari <l...@famulari.name> writes: > > [...] > > But, the "Stack Clash" issues took us by surprise and we spent a few > > days writing and testing our fixes. We are committed to supporting > > 32-bit platforms where these bugs are apparently easy to exploit. > > Without access to the exploits or detailed discussion, it was very > > difficult to know if our fixes actually worked. So, we could have > > responded more quickly and effectively with early notice. > [...] > > Should we bring this discussion to nix devs as well? I am sure they are > facing the same issue of not having early access to vulnerabilities. It > will be insightful to know how they dealt with it in the past and their > opinions on joining the list.
If somebody who has a relationship with the Nix team would like to discuss it with them, I'd be happy to hear the result, but I don't really have time for it right now. Also, we would not be able to discuss embargoed bugs from linux-distros with them, according to the list policy. Besides, I think our present situation and practices regarding security updates is very different from Nix's. They have different tools for shipping security updates, and they do the "stable" branch thing.
signature.asc
Description: PGP signature