[BLFS-DEV] Re: Vulnerabilities.

Ag. D. Hatzimanikas a.hatzim at gmail.com
Wed Jul 9 14:44:05 PDT 2008


Hi Ken,

On Wed, Jul 09, at 01:10 Ken Moffat wrote:
> On Wed, Jun 25, 2008 at 01:58:22PM +0300, Ag. D. Hatzimanikas wrote:
> > 
> > I've gathered this information about vulnerable packages (could be more).
> > 
> > 
> > PACKAGE   | LINK| BOOK VERSION | RESOLUTION|
> > ____________________________________________
> > Ruby      | [1] | AFFECTED     | Upgrade   |
> > Freetype  | [2] | AFFECTED     | Upgrade   |
> > Libvorbis | [3] | AFFECTED     | [9]       | 
> > Openssl   | [4] | AFFECTED     | Upgrade   |
> > Imlib     | [5] | AFFECTED     | [10]      |
> > Libxslt   | [6] | AFFECTED     | Upgrade   |
> > Mplayer   | [7] | AFFECTED     | Upgrade   |
> > Libpng    | [8] | AFFECTED     | Upgrade   |
> > ============================================
> > 

[...]

Thanks for fixing these vulnerabilities, as security has to be (ideally)
one of our main concerns.

Unfortunately our security mailing list is inactive and I don't think
will ever recover under the current circumstances.
With that in mind, I believe we have to warn and recommend our users to
follow one of the security mailing lists from other channels.

Fortunately there are (at least) two running from some popular and
serious distributions that can be served for that purpose, these are:
the one from Gentoo (see the link that I've already posted in the first
mail on that thread), and the one that is running by Debian[1].

In my opinion we have to put some of that information in a visible place,
either in the front web page or (why not) in the Book.


On another but similar matter.

Although quite wisely for my opinion, (ken) you've fixed the Book with
your recent commits, unfortunately this means another delay in the
release, since some of the updated packages are basic dependencies in a
lots of important packages.

I think we can all understand that we can't trust a blindly update and
release too soon, without testing for a considerable time the new
updates.

The question is:
Who is gonna test it? Because I believe most of the editors (myself
included), doesn't have a 6.3 LFS release around anymore - it's been
almost a year (sorry). 

Is it maybe a solution to postpone the release indefinitely or cancel
entirely the release? Why not? Gentoo did it last year.

Is it maybe a solution to put a release manager to get this out?
I really don't want to blame anyone (really, we're all volunteers), and
especially I don't blame Randy who everybody knows the amount of his
contributions to the project, but he looks that he is busy as we are all
busy (tough times, oil etc ...). 

In any case, we've to also update the news page, because there is an
announcement for a release in 25 of May, with another one (announcement)
where we can explain bravely that we can't keep our promises and give an
explanation. There is no big deal. I've seen it all the time in the open
sources projects and in a quite huge projects with maaaany developers.
you want names? xorg/kde/debian/gentoo  and others. 
And we have a good reason. There are a ton of new discovered vulnerabilities.
Just look at the two links I posted.
And we haven't the luxury to have some hundreds of developers like
the two aforementioned distributions.
In a summary, I am just against the false expectations, thats all.


A, and another thing. Maybe all these wouldn't be an issue at all, if
we've had released more regularly using point releases, like:
6.3, 6.3.1, ...
 

1. http://www.debian.org/security/
-- 
http://wiki.linuxfromscratch.org/blfs/wiki/Hacking



More information about the blfs-dev mailing list