X.org release engineering?
Joerg Sonnenberger
joerg at britannica.bec.de
Tue Jun 9 07:58:57 PDT 2009
On Tue, Jun 09, 2009 at 07:05:47AM -0700, Alan Coopersmith wrote:
> Joerg Sonnenberger wrote:
> > On Mon, Jun 08, 2009 at 04:20:00PM -0400, Adam Jackson wrote:
> >> Security is handled out of band like any other project. We'll release
> >> patches for at least the most recent release, probably do a point
> >> release for same, and anyone shipping anything older gets to backport.
> >
> > In practise, this didn't happen though. I don't care about most other
> > parts, but this one is and was a huge regression compared to the
> > monolithic word.
>
> Which part doesn't happen? I don't see any difference in our patch releases
> compared to monolithic days, and don't know of any security bugs we know of
> and have failed to release patches for.
The part of point releases never happened and the process of what
patches are needed was quite a bit easier for the monolithic tree.
E.g. the patches for the monolithic tree effectively replaced the point
releases. I can point at least to the libXfont-1.3.1 release and the
buffer overflow with the readlink usage that never was addressed via
patch. There have been other issues in the past where the only options
for a vendor were either to follow the git commits or the patch lists of
various Linux distributions.
Let me make one thing clear, I don't care about the past as it is done,
but please don't repeat this in the future. E.g. make a proper tiny
version upgrade for the next security issue, independent of the
component.
Joerg
More information about the xorg
mailing list