In regard to: Re: [OpenIndiana-discuss] OI roadmap (for production), Bob...:
Take libpng for example. The latest OI /dev ships is 1.4.12. Everything
before 1.4.17 is vulnerable to CVE-2015-7981 and CVE-2015-8126. Let's
say that I had just installed a8 today and then updated to a9, so I didn't
know whether libpng had been patched or not. How would I check?
Given the development model of OpenIndiana, I think that it is much more
likely that the software version is updated based on a formal upstream
release rather than a security issue being fixed via a patch. Only
really extreme security issues or well-known issues in valuable
unmaintained projects are likely to be fixed via a patch.
OpenIndiana is not going to be prepared any time soon to provide security
fixes in the way that Red Hat or Debian are able to provide.
You make a good point Bob, and I think you're correct that's the only
option.
The downside is that with many of the components in OI /dev being so far
off of current, a security update is going to often force a minor or
even major version bump, which will potentially cause breaking changes
and in the case of a base library, require a re-link of many applications.
In libpng's case that wouldn't be true since there was a full package
release in the 1.4.x and even 1.2.x series.
The situation is much better for hipster, since it is much closer to
current releases for many more packages.
Tim
--
Tim Mooney tim.moo...@ndsu.edu
Enterprise Computing & Infrastructure 701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building 701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
