[BLFS-DEV] Re: Vulnerabilities.

Ken Moffat ken at linuxfromscratch.org
Wed Jul 9 15:40:30 PDT 2008


On Thu, Jul 10, 2008 at 12:44:05AM +0300, Ag. D. Hatzimanikas wrote:

 Hi Ag,

>Unfortunately our security mailing list is inactive and I don't think
>will ever recover under the current circumstances.

 Yes, effectively defunct since the change of the server when
everyone got dropped.  We don't really have an ongoing security
process, apart from when somebody notices something, and by
definition we aren't going to be there on zero-day becasue we aren't
on vendor-security.  Hell, even getting source from firefox on the
day they produce an update is a non-starter.

 For instance, that perl vulnerability - I missed it at the time, so
I took a look at what else was in the redhat packages, and there is
a fix for another vulnerability from last year (although, I had to
search their bugzilla to identify it).
> 
> The question is:
> Who is gonna test it? Because I believe most of the editors (myself
> included), doesn't have a 6.3 LFS release around anymore - it's been
> almost a year (sorry). 
> 
on this particular point, I still have a full 6.3 system from the
back end of last year, and a slightly more recent 6.3 where I added
extra packages to handle some of the things in the book that I
normally ignore (e.g. valgrind and texinfo), until that ran out of
space.  That's not to say that I'm still using 2.6.22 kernels, I
think at least one of the kernel fixes that I grabbed from debian
for (clfs) 2.6.24 is also relevant to 2.6.22.

 But, I'm not willing to rebuild my desktop against the 6.3 book
(done it twice already), so testing is indeed a problem (which is
why I've not put libxslt in the branch).

> Is it maybe a solution to postpone the release indefinitely or cancel
> entirely the release? Why not? Gentoo did it last year.
> 

 I'm reluctant not to release at all, because that makes us one of
those projects where you have to take a random svn version and hope
it all works.  But, 6.3 does look increasingly old.

ĸen
-- 
das eine Mal als Tragödie, das andere Mal als Farce



More information about the blfs-dev mailing list