Security patches

Archaic archaic at linuxfromscratch.org
Tue Aug 16 20:37:51 PDT 2005


On Tue, Aug 16, 2005 at 09:47:06PM +0100, Ken Moffat wrote:
> 
>  This vulnerability should be low risk for most of us, but I think it's
> the sort of thing that ought to be applied.

Agreed.

> The question is, what do other people, particularly LFS editors,
> think?  Should there be a severity threshold, and less critical
> patches need to be discussed on this list, or should I just go ahead
> and commit ?

Well, most things should be mentioned even if there is no discussion
needed. It at least gives the OP the chance to layout the problem and
the relevant URL's (ensure {b,}lfs-dev and lfs-support are sent the
email for the sake of those who don't follow all the lists). If the
patch is tested and known to not break something obvious, then by all
means commit it (testing branches and other specialty branches may have
more specific guidelines).

If it breaks something subtly, that would hopefully be found as more
people build trunk and BLFS, which also implies that the closer to a
release we get, the more rigorously the editor should test *before*
committing. At the very minimum of testing is to create a test case and
trigger the vuln in the non-patched software then try with the patched
software instead of taking some distro's word that said patch works
(they've been wrong before).

All IMO.

>   Do people think the patches need to be reviewed for apparent
> correctness, or is the opinion of one editor that a patch looks
> reasonable sufficient ?

Well, we do have the opportunity to review the commit message. :)

>  Is there a tradeoff to be made between patching as soon as we mere
> mortals find out about new vulnerabilities (mainstream distros get to
> participate on non-disclosure lists, so they can create the patches) and
> reviewing what we put into the book ?

I would think that a test case trigger would be sufficient to prove the
patch. Later testing would sort the possible brokeness of the patch.
Again, testing should be inversely proportional to time remaining before
release.

-- 
Archaic

Want control, education, and security from your operating system?
Hardened Linux From Scratch
http://www.linuxfromscratch.org/hlfs




More information about the lfs-dev mailing list