guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: [oss-security] accepting new members to (linux-)distros lists


From: Ludovic Courtès
Subject: Re: FW: [oss-security] accepting new members to (linux-)distros lists
Date: Mon, 10 Jul 2017 17:56:18 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.2 (gnu/linux)

Leo Famulari <address@hidden> skribis:

> On Thu, Jun 29, 2017 at 12:48:22PM +0800, Alex Vong wrote:
>> Leo Famulari <address@hidden> writes:
>> 
>> [...]
>> > But, the "Stack Clash" issues took us by surprise and we spent a few
>> > days writing and testing our fixes. We are committed to supporting
>> > 32-bit platforms where these bugs are apparently easy to exploit.
>> > Without access to the exploits or detailed discussion, it was very
>> > difficult to know if our fixes actually worked. So, we could have
>> > responded more quickly and effectively with early notice.
>> [...]
>> 
>> Should we bring this discussion to nix devs as well? I am sure they are
>> facing the same issue of not having early access to vulnerabilities. It
>> will be insightful to know how they dealt with it in the past and their
>> opinions on joining the list.
>
> If somebody who has a relationship with the Nix team would like to
> discuss it with them, I'd be happy to hear the result, but I don't
> really have time for it right now. Also, we would not be able to discuss
> embargoed bugs from linux-distros with them, according to the list
> policy.
>
> Besides, I think our present situation and practices regarding security
> updates is very different from Nix's. They have different tools for
> shipping security updates, and they do the "stable" branch thing.

Indeed.  We can learn by working with each other in general, but for
this particular topic I think it wouldn’t be that helpful.  In addition
to having different tools and practices, Nix and Guix are simply
different distros.

Ludo’.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]