On Thu, Nov 28, 2013 at 08:07:16PM -0600, Steve Langasek wrote:
> All distributions "care" about not having security issues in their code, but
> that's not the same thing as actually doing the work to audit the code. In
> practice this only happens when dedicated resources are turned on the code
>
Hi,
Personally I'm in favour of following the openssl point updates and I'd
like to add an additional data point to the discussion:
CVE-2015-3196 was already fixed as a plain bugfix in an earlier point
release, but the security impact was only noticed later on, so following
the point updates would
Simon McVittie wrote:
> I think we have a fairly good picture of the costs that would be
> incurred from using alternatives:
Plus in the case of opentmpfiles; a pile of security issues: systemd-tmpfiles
addresses a number of complex races using low level primitives like openat() et
al. or O_PATH,
On Wed, Oct 21, 2020 at 08:22:11AM -0700, Sean Whitton wrote:
> Hello security team,
>
> The TC are being asked about src:kubernetes, and it would be good to
> hear from you about whether and how security support is a relevant
> consideration in determining whether the level of vendoring in that
>
Catching up on this...
> > This leaves Debian with two options:
> > * Keep it out of a stable release and accept that it's good enough
> > if people just install whatever deb they currently find in testing/sid
> > (works out well enough for most given that blob nature of Go!)
>
> IMHO this
On Sun, Nov 08, 2020 at 10:49:31PM +0100, Florian Weimer wrote:
> * Moritz Mühlenhoff:
>
> > * Follow a scheme similar to Firefox ESR where in case of a security
> > the update either happens to the latest minor release of
> > the current branch or if that has stop
6 matches
Mail list logo
