guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opinion] CVE-patching is not sufficient for package security patchi

From: Jonathan Brielmaier
Subject: Re: [opinion] CVE-patching is not sufficient for package security patching
Date: Tue, 16 Mar 2021 12:17:49 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Icedove/78.7.1 
On 16.03.21 12:10, Léo Le Bouter wrote:

For these reasons, I suggest that we always strive to update packages
to their latest versions and that I think it is security relevant to
always do so. Of course, new code could *introduce* new vulnerabilities
but I am not trying to debate this, it's that to the best of the
upstream's knowledge chances are that the latest version will contain
more security fixes than older versions (if that upstream is actually
maintaining the project).


I think the only two reasons against that are: time and CI/rebuilding. I
think thats the reason why stuff like Gnome and others lower in the
dependency tree are lacking behind... Being non-FHS and non-systemd
makes updates for those stuff not easier and is maybe the third
reason/root issue...
reply via email to
[Prev in Thread] Current Thread [Next in Thread]