package update politics

Other talk about Salix
User avatar
witek
Posts: 233
Joined: 16. Nov 2009, 13:41
Location: Poland.Łódź

Re: package update politics

Post by witek »

Regarding security holes I`m not sure if updating firefox 9 with 10 just after it had been released was right as later came two fix releases within two weeks or so. Maybe it would have been better to wait a month or so untill the firefox developers fix their bugs? It seems that all new firefox releases come with many bugs.
User avatar
gapan
Salix Wizard
Posts: 6353
Joined: 6. Jun 2009, 17:40

Re: package update politics

Post by gapan »

witek wrote:Regarding security holes I`m not sure if updating firefox 9 with 10 just after it had been released was right as later came two fix releases within two weeks or so. Maybe it would have been better to wait a month or so untill the firefox developers fix their bugs? It seems that all new firefox releases come with many bugs.
So it would have been better to keep known security holes for a month? What makes you think that holes in 10.0 were not also present in 9.0.x? And in any case, the firefox packages in salix were updated to 10.0.1 and 10.0.2 as soon as they were released.
Image
Image
Shador
Posts: 1295
Joined: 11. Jun 2009, 14:04
Location: Bavaria

Re: package update politics

Post by Shador »

If there are security updates they should be released as fast as possible. Look upon it like this:
If there's a security issue e.g. in Firefox 9 and Firefox 10 fixes it, then that issue is publicly known. That means it's likely that exploits for that issue exist or are being developed. But Security issues are not yet known in Firefox 10 at least as of it's release. There might be such issues, but as they're not known at that point it's much less likely that an exploit exists for them. For Firefox 9 in turn those exploits are a lot more likely to exist. So would you stay with Firefox 9, which is much more likely to be attacked?

Generally you're safe against publicly known security issues, if shortly after they become publicly know a new release fixes them and you promptly update to that release. Exploits for publicly known issues can only be used against outdated machines. Such issues are most commonly used, as they're usually used by less-experienced attackers. Professionals might use them as well but usually don't attack a majority of systems.
Of course there's always a danger of unknown security issues, which are commonly searched for by professionals. But you're a lot less likely to be attacked by those. Apart from that would you like to be exposed to both sets of security issues or only one?
Image
User avatar
ElderDryas
Posts: 144
Joined: 3. Nov 2011, 22:06
Location: Lincoln, Nebraska USA

Re: package update politics

Post by ElderDryas »

In a somewhat related topic....

A while ago (a week, two, three?...I forget) there was an exchange (IIRC on the ML) related to updating packages in the repos (bugs, security, cosmetic, etc). A e-meeting was suggested to lay out the guidelines.

Would it be possible for someone to report on the outcome of that meeting (i.e., lay out the guidlines)? It might help the rest of us to know the who/what/where/how individual packages get updated.

If this would just repeat something that is already published (say, on the website), please include where this is located (URL, etc.).
User avatar
ElderDryas
Posts: 144
Joined: 3. Nov 2011, 22:06
Location: Lincoln, Nebraska USA

Re: package update politics

Post by ElderDryas »

Thanks for the link(s). As I read it, this particular question was postponed until the "next" meeting (last topic) ?
Shador
Posts: 1295
Joined: 11. Jun 2009, 14:04
Location: Bavaria

Re: package update politics

Post by Shador »

Yes, but support of old respositories has been discussed, which also is part of the package update policies.
Image
User avatar
witek
Posts: 233
Joined: 16. Nov 2009, 13:41
Location: Poland.Łódź

Re: package update politics

Post by witek »

Shador and Gapan, I understand your points. If you really track the security holes in firefox and update the package as soon as they`re fixed then I trust you.
User avatar
thenktor
Salix Wizard
Posts: 2426
Joined: 6. Jun 2009, 14:47
Location: Franconia
Contact:

Re: package update politics

Post by thenktor »

witek wrote:Regarding security holes I`m not sure if updating firefox 9 with 10 just after it had been released was right as later came two fix releases within two weeks or so. Maybe it would have been better to wait a month or so untill the firefox developers fix their bugs? It seems that all new firefox releases come with many bugs.
Rules of thumb:
* update soon, update often
* keep your browser to the latest version
Image
burnCDDA (burns audio CDs)
geBIERt (German beer blog)
Post Reply