Leo Famulari <l...@famulari.name> skribis: > On Thu, Jun 29, 2017 at 12:48:22PM +0800, Alex Vong wrote: >> Leo Famulari <l...@famulari.name> writes: >> >> [...] >> > But, the "Stack Clash" issues took us by surprise and we spent a few >> > days writing and testing our fixes. We are committed to supporting >> > 32-bit platforms where these bugs are apparently easy to exploit. >> > Without access to the exploits or detailed discussion, it was very >> > difficult to know if our fixes actually worked. So, we could have >> > responded more quickly and effectively with early notice. >> [...] >> >> Should we bring this discussion to nix devs as well? I am sure they are >> facing the same issue of not having early access to vulnerabilities. It >> will be insightful to know how they dealt with it in the past and their >> opinions on joining the list. > > If somebody who has a relationship with the Nix team would like to > discuss it with them, I'd be happy to hear the result, but I don't > really have time for it right now. Also, we would not be able to discuss > embargoed bugs from linux-distros with them, according to the list > policy. > > Besides, I think our present situation and practices regarding security > updates is very different from Nix's. They have different tools for > shipping security updates, and they do the "stable" branch thing.
Indeed. We can learn by working with each other in general, but for this particular topic I think it wouldn’t be that helpful. In addition to having different tools and practices, Nix and Guix are simply different distros. Ludo’.
