|
From: | Jonathan Brielmaier |
Subject: | Re: [opinion] CVE-patching is not sufficient for package security patching |
Date: | Tue, 16 Mar 2021 12:17:49 +0100 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Icedove/78.7.1 |
On 16.03.21 12:10, Léo Le Bouter wrote:
For these reasons, I suggest that we always strive to update packages to their latest versions and that I think it is security relevant to always do so. Of course, new code could *introduce* new vulnerabilities but I am not trying to debate this, it's that to the best of the upstream's knowledge chances are that the latest version will contain more security fixes than older versions (if that upstream is actually maintaining the project).
I think the only two reasons against that are: time and CI/rebuilding. I think thats the reason why stuff like Gnome and others lower in the dependency tree are lacking behind... Being non-FHS and non-systemd makes updates for those stuff not easier and is maybe the third reason/root issue...
[Prev in Thread] | Current Thread | [Next in Thread] |