X.org release engineering?

Alan Coopersmith Alan.Coopersmith at Sun.COM
Tue Jun 9 08:13:03 PDT 2009


Joerg Sonnenberger wrote:
> On Tue, Jun 09, 2009 at 07:05:47AM -0700, Alan Coopersmith wrote:
>> Joerg Sonnenberger wrote:
>>> On Mon, Jun 08, 2009 at 04:20:00PM -0400, Adam Jackson wrote:
>>>> Security is handled out of band like any other project.  We'll release
>>>> patches for at least the most recent release, probably do a point
>>>> release for same, and anyone shipping anything older gets to backport.
>>> In practise, this didn't happen though. I don't care about most other
>>> parts, but this one is and was a huge regression compared to the
>>> monolithic word.
>> Which part doesn't happen?   I don't see any difference in our patch releases
>> compared to monolithic days, and don't know of any security bugs we know of
>> and have failed to release patches for.
> 
> The part of point releases never happened and the process of what
> patches are needed was quite a bit easier for the monolithic tree.
> E.g. the patches for the monolithic tree effectively replaced the point
> releases. I can point at least to the libXfont-1.3.1 release and the
> buffer overflow with the readlink usage that never was addressed via
> patch. 

Assuming you mean
http://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=5bf703700ee4a5d6eae20da07cb7a29369667aef
the patch is available from git, like all other changes.   I can't find much
discussion in the xorg_security list mail in my inbox archives (list archives
obviously aren't public) but it looks like no one declared that they believed
it was an exploitable security issue, just a bug, so we didn't go through the
security release process for it.   (There was no CVE or security alert issued
either.)

-- 
	-Alan Coopersmith-           alan.coopersmith at sun.com
	 Sun Microsystems, Inc. - X Window System Engineering




More information about the xorg mailing list