On 2016-04-19 11:30:38 -0500 (-0500), Ian Cordasco wrote: [...] > I've argued with different downstream distributors about their own > judgment of what portions of the patch to apply in order to fix an > issue with an assigned CVE. It took much longer than should have > been necessary in at least one of those cases where it did affect > OpenStack [...]
I won't disagree that it's a double-edged sword, but on balance having established, organized distros managing security backporting for their packages helps in a lot more situations of lax upstream security posture than it hinders responsive upstreams (probably because there are a lot more of the former than the latter). At least it's seemed to me that a majority of vulnerability announcements posted on the oss-sec ML come from distro security teams as compared to upstream security teams, though this also may just be due to having a lot more low-popularity projects packaged in major distros and written by small teams who don't have experience handling vulnerability reports. -- Jeremy Stanley __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
