On Thu, Jun 29, 2017 at 12:48:22PM +0800, Alex Vong wrote:
> Leo Famulari <leo@famulari.name> writes:
> 
> [...]
> > But, the "Stack Clash" issues took us by surprise and we spent a few
> > days writing and testing our fixes. We are committed to supporting
> > 32-bit platforms where these bugs are apparently easy to exploit.
> > Without access to the exploits or detailed discussion, it was very
> > difficult to know if our fixes actually worked. So, we could have
> > responded more quickly and effectively with early notice.
> [...]
> 
> Should we bring this discussion to nix devs as well? I am sure they are
> facing the same issue of not having early access to vulnerabilities. It
> will be insightful to know how they dealt with it in the past and their
> opinions on joining the list.

If somebody who has a relationship with the Nix team would like to
discuss it with them, I'd be happy to hear the result, but I don't
really have time for it right now. Also, we would not be able to discuss
embargoed bugs from linux-distros with them, according to the list
policy.

Besides, I think our present situation and practices regarding security
updates is very different from Nix's. They have different tools for
shipping security updates, and they do the "stable" branch thing.