On Sat, Mar 03, 2012 at 01:50:13PM -0500, Jeremy Huntwork wrote: > On 3/3/12 1:11 PM, Qrux wrote: > > The security issues with production has been mentioned several times. I've > > sort of just assumed it was a friendly "caveat emptor", and filtered it > > out. But, it's now come up often enough where it seem to be implying > > something stronger than the assumption above. In fact, it > > all-but-suggests: "There are some serious security issues with LFS." > > > > Is this actually the case? > > I think the reason this comes up is because LFS is made up of a limited > number of developers (essentially hobbyists) that don't have the time > and resources to track down all security issues. And so there there is a > hesitancy to call LFS 'secure' because they can't guarantee it. > > LFS itself is usually prompt at fixing known vulnerabilities. But we've no idea what fixes are being prepared by distros until we see that they have released something. And then we have to spend time trying to understand if the issue affects our current version or not - sometimes we might make the wrong call.
My concerns are more with BLFS: From time to time, editors are active and interested in fixing vulnerabilities in the packages they use. At other times, or for other packages, exploits may be in the wild for weeks before anything is changed in the book. For most of us, the likely risk from many such vulnerabilities is tiny. For those who have users, or public-facing services, the likely risk can be a lot higher. Also, we're only really concerned about our current versions. I don't really recall many vulnerability fixes in LFS in recent times - often, we pick up a new release as a matter of course, even before anyone notes that it fixes a vulnerability. In BLFS, if we can remove the vulnerability by upgrading to a newer version, then we will do that - many times, the vulnerability will not be mentioned. ĸen -- das eine Mal als Tragödie, das andere Mal als Farce -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
