On Wed, 6 Jan 2010 11:01:01 +0800 Paul Wise wrote: > On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook <k...@debian.org> wrote: > > > There is a maintained (by RedHat) patch for dealing with PIE. I already > > maintain a delta for this in Ubuntu, but as you can see in the gdb bug, > > the gdb maintainer doesn't want it until it's in upstream. I, obviously, > > think that's ridiculous. PIE works and is useful. Blocking its rollout > > because gdb's support for it isn't upstream just furthers the catch-22. > > It is perfectly reasonable to reject patches until they are upstream. > I personally will never add patches to Debian without either > committing them upstream myself or some indication that they already > have been or will be accepted upstream. IIRC the Debian kernel team > has similar policies. Why hasn't RedHat upstreamed the patch? They are > usually good about doing that. Perhaps you could push them to do so.
While normally I would agree with your logic, when it comes to security I think a more cautious logic must prevail. Remember that item 4 of the social contract states that: "Our priorities are our users and free software." An aspect of that guidance is providing high quality security for those users. Hence, when a feature improves security (or provides additional harding) the convenience factor of not differing from upstream should be considered a lower priority than normal. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
