unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* [opinion] CVE-patching is not sufficient for package security patching
@ 2021-03-16 11:10 Léo Le Bouter
  2021-03-16 11:17 ` Jonathan Brielmaier
                   ` (2 more replies)
  0 siblings, 3 replies; 22+ messages in thread
From: Léo Le Bouter @ 2021-03-16 11:10 UTC (permalink / raw)
  To: guix-devel

[-- Attachment #1: Type: text/plain, Size: 1661 bytes --]

Hello!

I would like to share some opinion I have on CVE-patching for non-
rolling release GNU/Linux distributions and why we should strive to
always update to the latest available releases or always follow
upstream supported release series and never backport patches ourselves
in most cases (some upstreams may have really good practices but these
are rare).

A lot of security issues are patched silently in upstream projects
without ever getting a CVE, security issues may not be labeled as such
by upstreams for various reasons (fear of shame, belief to patch
something with no security impact while it has, bizarre security
through obscurity policy, ..).

For these reasons, I suggest that we always strive to update packages
to their latest versions and that I think it is security relevant to
always do so. Of course, new code could *introduce* new vulnerabilities
but I am not trying to debate this, it's that to the best of the
upstream's knowledge chances are that the latest version will contain
more security fixes than older versions (if that upstream is actually
maintaining the project).

In many cases, browsing through the commit history of some popular
projects can uncover security issues not publicized through any
security mailing lists or CVEs anywhere, this is unfortunately quite
common. We cannot possibly monitor the commit history (and code) of
every single project to backport fixes when we would need to. It is
better for us to always strive to use the latest versions even when it
requires us to do more far-reaching changes because of
dependents/dependencies.

Let me know what you think!

Léo

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 22+ messages in thread

end of thread, other threads:[~2021-03-30  8:43 UTC | newest]

Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-16 11:10 [opinion] CVE-patching is not sufficient for package security patching Léo Le Bouter
2021-03-16 11:17 ` Jonathan Brielmaier
2021-03-16 11:27   ` Léo Le Bouter
2021-03-16 19:15 ` Leo Famulari
2021-03-16 23:19 ` Mark H Weaver
2021-03-16 23:49   ` Leo Famulari
2021-03-17 11:54     ` Guix moving too fast? zimoun
2021-03-17  6:07   ` [opinion] CVE-patching is not sufficient for package security patching Léo Le Bouter
2021-03-17  6:21   ` Léo Le Bouter
2021-03-20 11:19   ` Ludovic Courtès
2021-03-22 13:44     ` raingloom
2021-03-23 16:22       ` Joshua Branson
2021-03-23 23:53         ` Mark H Weaver
2021-03-23 17:56       ` Leo Famulari
2021-03-23 22:54       ` Ricardo Wurmus
2021-03-24 19:51         ` Leo Famulari
2021-03-24 20:24           ` Vincent Legoll
2021-03-24 20:32             ` Léo Le Bouter
2021-03-24 20:55             ` Leo Famulari
2021-03-25 14:22           ` Mathieu Othacehe
2021-03-25 18:19             ` Leo Famulari
2021-03-30  8:42           ` Buying AArch64 hardware? Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).