[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz
From:       Moritz Muehlenhoff <jmm () inutil ! org>
Date:       2019-06-21 22:05:02
Message-ID: 20190621220502.aubbgwqvos6mvlz2 () inutil ! org
[Download RAW message or body]

Simon McVittie wrote:
> If upstream projects have a stable branch that is genuinely stable
> and bugfix-only to minimize the risk of regressions, and encourage
> downstream distributions to align on the latest stable branch during
> their development phase, then I think that goes a long way towards this.
> If I understand correctly, PostgreSQL is one of the canonical examples of
> a project that does this, and gets its upstream point releases included
> in stability-focused projects like Debian as-is.

Exactly, other examples where Debian ships upstream stable branches
when updating a stable/oldstable release (via security.debian.org or
point releases) out of the top of my head are:

- ffmpeg
- Firefox ESR
- Linux (follows upstream LTS branches)
- MariaDB
- Mediawiki
- OpenJDK
- OpenSSL
- PHP
- Thunderbird ESR
- VLC
- Wireshark
- Xen

It has served us very well overall and it's considered on a case-by-case
basis; e.g. whether upstream releases in those long term branches are
sufficiently vetted/regression-tested.

Cheers,
        Moritz
[prev in list] [next in list] [prev in thread] [next in thread]