package update politics
Re: package update politics
Regarding security holes I`m not sure if updating firefox 9 with 10 just after it had been released was right as later came two fix releases within two weeks or so. Maybe it would have been better to wait a month or so untill the firefox developers fix their bugs? It seems that all new firefox releases come with many bugs.
Re: package update politics
So it would have been better to keep known security holes for a month? What makes you think that holes in 10.0 were not also present in 9.0.x? And in any case, the firefox packages in salix were updated to 10.0.1 and 10.0.2 as soon as they were released.witek wrote:Regarding security holes I`m not sure if updating firefox 9 with 10 just after it had been released was right as later came two fix releases within two weeks or so. Maybe it would have been better to wait a month or so untill the firefox developers fix their bugs? It seems that all new firefox releases come with many bugs.
Re: package update politics
If there are security updates they should be released as fast as possible. Look upon it like this:
If there's a security issue e.g. in Firefox 9 and Firefox 10 fixes it, then that issue is publicly known. That means it's likely that exploits for that issue exist or are being developed. But Security issues are not yet known in Firefox 10 at least as of it's release. There might be such issues, but as they're not known at that point it's much less likely that an exploit exists for them. For Firefox 9 in turn those exploits are a lot more likely to exist. So would you stay with Firefox 9, which is much more likely to be attacked?
Generally you're safe against publicly known security issues, if shortly after they become publicly know a new release fixes them and you promptly update to that release. Exploits for publicly known issues can only be used against outdated machines. Such issues are most commonly used, as they're usually used by less-experienced attackers. Professionals might use them as well but usually don't attack a majority of systems.
Of course there's always a danger of unknown security issues, which are commonly searched for by professionals. But you're a lot less likely to be attacked by those. Apart from that would you like to be exposed to both sets of security issues or only one?
If there's a security issue e.g. in Firefox 9 and Firefox 10 fixes it, then that issue is publicly known. That means it's likely that exploits for that issue exist or are being developed. But Security issues are not yet known in Firefox 10 at least as of it's release. There might be such issues, but as they're not known at that point it's much less likely that an exploit exists for them. For Firefox 9 in turn those exploits are a lot more likely to exist. So would you stay with Firefox 9, which is much more likely to be attacked?
Generally you're safe against publicly known security issues, if shortly after they become publicly know a new release fixes them and you promptly update to that release. Exploits for publicly known issues can only be used against outdated machines. Such issues are most commonly used, as they're usually used by less-experienced attackers. Professionals might use them as well but usually don't attack a majority of systems.
Of course there's always a danger of unknown security issues, which are commonly searched for by professionals. But you're a lot less likely to be attacked by those. Apart from that would you like to be exposed to both sets of security issues or only one?
- ElderDryas
- Posts: 144
- Joined: 3. Nov 2011, 22:06
- Location: Lincoln, Nebraska USA
Re: package update politics
In a somewhat related topic....
A while ago (a week, two, three?...I forget) there was an exchange (IIRC on the ML) related to updating packages in the repos (bugs, security, cosmetic, etc). A e-meeting was suggested to lay out the guidelines.
Would it be possible for someone to report on the outcome of that meeting (i.e., lay out the guidlines)? It might help the rest of us to know the who/what/where/how individual packages get updated.
If this would just repeat something that is already published (say, on the website), please include where this is located (URL, etc.).
A while ago (a week, two, three?...I forget) there was an exchange (IIRC on the ML) related to updating packages in the repos (bugs, security, cosmetic, etc). A e-meeting was suggested to lay out the guidelines.
Would it be possible for someone to report on the outcome of that meeting (i.e., lay out the guidlines)? It might help the rest of us to know the who/what/where/how individual packages get updated.
If this would just repeat something that is already published (say, on the website), please include where this is located (URL, etc.).
- ElderDryas
- Posts: 144
- Joined: 3. Nov 2011, 22:06
- Location: Lincoln, Nebraska USA
Re: package update politics
Thanks for the link(s). As I read it, this particular question was postponed until the "next" meeting (last topic) ?
Re: package update politics
Yes, but support of old respositories has been discussed, which also is part of the package update policies.
Re: package update politics
Shador and Gapan, I understand your points. If you really track the security holes in firefox and update the package as soon as they`re fixed then I trust you.
Re: package update politics
Rules of thumb:witek wrote:Regarding security holes I`m not sure if updating firefox 9 with 10 just after it had been released was right as later came two fix releases within two weeks or so. Maybe it would have been better to wait a month or so untill the firefox developers fix their bugs? It seems that all new firefox releases come with many bugs.
* update soon, update often
* keep your browser to the latest version