On Tue, Jun 09, 2009 at 07:05:47AM -0700, Alan Coopersmith wrote: > Joerg Sonnenberger wrote: > > On Mon, Jun 08, 2009 at 04:20:00PM -0400, Adam Jackson wrote: > >> Security is handled out of band like any other project. We'll release > >> patches for at least the most recent release, probably do a point > >> release for same, and anyone shipping anything older gets to backport. > > > > In practise, this didn't happen though. I don't care about most other > > parts, but this one is and was a huge regression compared to the > > monolithic word. > > Which part doesn't happen? I don't see any difference in our patch releases > compared to monolithic days, and don't know of any security bugs we know of > and have failed to release patches for.
The part of point releases never happened and the process of what patches are needed was quite a bit easier for the monolithic tree. E.g. the patches for the monolithic tree effectively replaced the point releases. I can point at least to the libXfont-1.3.1 release and the buffer overflow with the readlink usage that never was addressed via patch. There have been other issues in the past where the only options for a vendor were either to follow the git commits or the patch lists of various Linux distributions. Let me make one thing clear, I don't care about the past as it is done, but please don't repeat this in the future. E.g. make a proper tiny version upgrade for the next security issue, independent of the component. Joerg _______________________________________________ xorg mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/xorg
