[opinion] CVE-patching is not sufficient for package security patching

["Léo Le Bouter" <lle-bout@zaclys.net>]

[-- Attachment #1: Type: text/plain, Size: 1661 bytes --]

Hello!

I would like to share some opinion I have on CVE-patching for non-
rolling release GNU/Linux distributions and why we should strive to
always update to the latest available releases or always follow
upstream supported release series and never backport patches ourselves
in most cases (some upstreams may have really good practices but these
are rare).

A lot of security issues are patched silently in upstream projects
without ever getting a CVE, security issues may not be labeled as such
by upstreams for various reasons (fear of shame, belief to patch
something with no security impact while it has, bizarre security
through obscurity policy, ..).

For these reasons, I suggest that we always strive to update packages
to their latest versions and that I think it is security relevant to
always do so. Of course, new code could *introduce* new vulnerabilities
but I am not trying to debate this, it's that to the best of the
upstream's knowledge chances are that the latest version will contain
more security fixes than older versions (if that upstream is actually
maintaining the project).

In many cases, browsing through the commit history of some popular
projects can uncover security issues not publicized through any
security mailing lists or CVEs anywhere, this is unfortunately quite
common. We cannot possibly monitor the commit history (and code) of
every single project to backport fixes when we would need to. It is
better for us to always strive to use the latest versions even when it
requires us to do more far-reaching changes because of
dependents/dependencies.

Let me know what you think!

Léo

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]