HEADSUP: Security updates outstanding

Yaakov (Cygwin Ports) yselkowitz@users.sourceforge.net
Mon Aug 18 19:09:00 GMT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Corinna Vinschen wrote:
> Personally I'm kind of not interested to go this road.  If I learn about
> a problem in an upstream package, I update.  If anybody else want's to
> take over responsibility for security problems, I certainly don't stand
> in the way, of course.

While that seems to work for you, when applied to the entire distro
there are some pitfalls:

1) According to the cygwin-pkg-maint file, there are currently 56
"active" package maintainers.  We can't assume that everyone is as
diligent -- or in the know -- as you are.

2) Even if they would be, most of the time we would still be playing
"catch-up", first updating when the issue is public instead of
coordinating beforehand like the linux distros.

3) We have absolutely no way of handling the case where a maintainer is
away (or MIA) when we need an urgent bump/patch.

Having a security team and a private list would allow us to deal with
all these things responsibly.


Yaakov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREIAAYFAkipyJQACgkQpiWmPGlmQSPwGgCgs78m1gu7SqcTp60/uvh64a6C
k+gAoN5D0+Ro1o4A9RdeBJ/1XXuR5I8v
=RKHP
-----END PGP SIGNATURE-----



More information about the Cygwin-apps mailing list