[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: FW: [oss-security] accepting new members to (linux-)distros lists
|
From: |
Ludovic Courtès |
|
Subject: |
Re: FW: [oss-security] accepting new members to (linux-)distros lists |
|
Date: |
Mon, 10 Jul 2017 17:56:18 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux) |
Leo Famulari <address@hidden> skribis:
> On Thu, Jun 29, 2017 at 12:48:22PM +0800, Alex Vong wrote:
>> Leo Famulari <address@hidden> writes:
>>
>> [...]
>> > But, the "Stack Clash" issues took us by surprise and we spent a few
>> > days writing and testing our fixes. We are committed to supporting
>> > 32-bit platforms where these bugs are apparently easy to exploit.
>> > Without access to the exploits or detailed discussion, it was very
>> > difficult to know if our fixes actually worked. So, we could have
>> > responded more quickly and effectively with early notice.
>> [...]
>>
>> Should we bring this discussion to nix devs as well? I am sure they are
>> facing the same issue of not having early access to vulnerabilities. It
>> will be insightful to know how they dealt with it in the past and their
>> opinions on joining the list.
>
> If somebody who has a relationship with the Nix team would like to
> discuss it with them, I'd be happy to hear the result, but I don't
> really have time for it right now. Also, we would not be able to discuss
> embargoed bugs from linux-distros with them, according to the list
> policy.
>
> Besides, I think our present situation and practices regarding security
> updates is very different from Nix's. They have different tools for
> shipping security updates, and they do the "stable" branch thing.
Indeed. We can learn by working with each other in general, but for
this particular topic I think it wouldn’t be that helpful. In addition
to having different tools and practices, Nix and Guix are simply
different distros.
Ludo’.