[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz
From:       Yves-Alexis Perez <corsac () debian ! org>
Date:       2019-06-21 15:41:49
Message-ID: d49124e0c81f204be7733c397539cc077ccd2a44.camel () debian ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, 2019-06-21 at 11:53 +0200, Greg KH wrote:
> So it's a matter of "do I live with all of the bugs that everyone else
> knows about and how to exploit, or do I live with a potential
> regression?"  That sounds like an easy choice given that the reason you
> should be updating is to resolve all of those known bugs :)

I'm not really talking about potential regressions: I'm talking about real
functional changes that the end-user doesn't expect (nor want) in a stable
release. Backporting is often a pain, but full throttle to latest release also
has a burden (for the end-user, for the distributor and so on). It really
depends on the project (and I don't want to point fingers, it's not the
point).
> 
> Regressions always happen, we are human, but there are ways to mitigate
> them (testing, roll-back, preventing developers from not breaking things
> on purpose, etc.)  And projects that do not do this type of work to
> prevent regressions need to learn that they should change, or users will
> go elsewhere.

But then again the question is, who do the work (of backporting, regression
testing, etc.) And again it's not always about bugs, it might very well be
that there's a user interface change requiring a lot of documentation updates
downwards, a dependency chain update or whatever.

There might be good reasons for stability, even besides not introducing new
bugs, that was just my point.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAl0M+r0ACgkQ3rYcyPpX
RFtnkAgAvxwmpnFT0hKbZViUO1j9BBkNo5KUhUMKs86OKSLGTQQNFfTMBs8EX5t5
1oTXi/uzEMwEYbJcSOzwm3nDavhxJvibGQiRiYgQJaT7ckt0/Pvq1qH1514jWFhj
CTGMu145VGLoYYx1BjAO8eHQFRbvBct+0C8aBYXzq+rTDZXf+7h/OkVu7OQDgNHM
HAsiJ8SnUrXykHAE5sMnywI8atAdD9QAGp0aQ3MABxmKX1ZJ9qS/Qv+OfFEJH44U
G3ZWM9JLwdbmyFOWOrVlhpmpHaFdKTUSC6gpihyR4g5F+KdR5NMnUv3W52S9jzAh
7zFpM8sUtFsY4+Wta7HTaBTh1gATuQ==
=zzq2
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]