[Savannah-users] Savannah security software updates (was: Multiple GPG keys on Savannah)

[Asher Gordon]

Bob Proulx <address@hidden> writes:

> Asher Gordon wrote:
>> I see. It's too bad Savannah doesn't host the GnuPG git repository,
>> because then I could point out how ironic it is that Savannah hosts
>> GnuPG but still uses an old version! :-)
>
> I'll own that one.  I really push for having an alive security patch
> process and using a software distribution package management system
> makes that much easier than building everything from scratch.
> [...]

I was just making a joke (perhaps not a very good one :-) ). I wasn't
trying to criticize Savannah. But of course, security *is* important.

> The terrible irony would be that a security vulnerability would get
> found, reported, known by the malicious, fixed upstream, and we might
> still be running a stale old copy that we had not realized needed to
> be updated if we are not paying attention and get compromised.  On the
> other hand the daily distro package upgrade keeps things simple.

Yes, using distro packages is probably a good idea. Might I suggest
moving to Debian eventually? I know it's not FSF-endorsed, but "main"
has only free software. Debian stable ("buster" currently) has
reasonably recent software versions and is stable and secure. Of course,
it would probably be a lot of work to migrate Savannah to Debian, and it
might not be worth it. Another major downside would be that you don't
get the cool ASCII logo on login. :-)

Asher

-- 
<cas> well there ya go.  say something stupid in irc and have it
      immortalised forever in someone's .sig file

signature.asc
Description: PGP signature