Date: Fri, 21 Jun 2019 17:41:49 +0200 From: Yves-Alexis Perez <corsac@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 2019-06-21 at 11:53 +0200, Greg KH wrote: > So it's a matter of "do I live with all of the bugs that everyone else > knows about and how to exploit, or do I live with a potential > regression?" That sounds like an easy choice given that the reason you > should be updating is to resolve all of those known bugs :) I'm not really talking about potential regressions: I'm talking about real functional changes that the end-user doesn't expect (nor want) in a stable release. Backporting is often a pain, but full throttle to latest release also has a burden (for the end-user, for the distributor and so on). It really depends on the project (and I don't want to point fingers, it's not the point). > > Regressions always happen, we are human, but there are ways to mitigate > them (testing, roll-back, preventing developers from not breaking things > on purpose, etc.) And projects that do not do this type of work to > prevent regressions need to learn that they should change, or users will > go elsewhere. But then again the question is, who do the work (of backporting, regression testing, etc.) And again it's not always about bugs, it might very well be that there's a user interface change requiring a lot of documentation updates downwards, a dependency chain update or whatever. There might be good reasons for stability, even besides not introducing new bugs, that was just my point. Regards, - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAl0M+r0ACgkQ3rYcyPpX RFtnkAgAvxwmpnFT0hKbZViUO1j9BBkNo5KUhUMKs86OKSLGTQQNFfTMBs8EX5t5 1oTXi/uzEMwEYbJcSOzwm3nDavhxJvibGQiRiYgQJaT7ckt0/Pvq1qH1514jWFhj CTGMu145VGLoYYx1BjAO8eHQFRbvBct+0C8aBYXzq+rTDZXf+7h/OkVu7OQDgNHM HAsiJ8SnUrXykHAE5sMnywI8atAdD9QAGp0aQ3MABxmKX1ZJ9qS/Qv+OfFEJH44U G3ZWM9JLwdbmyFOWOrVlhpmpHaFdKTUSC6gpihyR4g5F+KdR5NMnUv3W52S9jzAh 7zFpM8sUtFsY4+Wta7HTaBTh1gATuQ== =zzq2 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.