Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <d49124e0c81f204be7733c397539cc077ccd2a44.camel@debian.org>
Date: Fri, 21 Jun 2019 17:41:49 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Thousands of vulnerabilities, almost no CVEs:
 OSS-Fuzz

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Fri, 2019-06-21 at 11:53 +0200, Greg KH wrote:
> So it's a matter of "do I live with all of the bugs that everyone else
> knows about and how to exploit, or do I live with a potential
> regression?"  That sounds like an easy choice given that the reason you
> should be updating is to resolve all of those known bugs :)

I'm not really talking about potential regressions: I'm talking about real
functional changes that the end-user doesn't expect (nor want) in a stable
release. Backporting is often a pain, but full throttle to latest release also
has a burden (for the end-user, for the distributor and so on). It really
depends on the project (and I don't want to point fingers, it's not the
point).
> 
> Regressions always happen, we are human, but there are ways to mitigate
> them (testing, roll-back, preventing developers from not breaking things
> on purpose, etc.)  And projects that do not do this type of work to
> prevent regressions need to learn that they should change, or users will
> go elsewhere.

But then again the question is, who do the work (of backporting, regression
testing, etc.) And again it's not always about bugs, it might very well be
that there's a user interface change requiring a lot of documentation updates
downwards, a dependency chain update or whatever.

There might be good reasons for stability, even besides not introducing new
bugs, that was just my point.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAl0M+r0ACgkQ3rYcyPpX
RFtnkAgAvxwmpnFT0hKbZViUO1j9BBkNo5KUhUMKs86OKSLGTQQNFfTMBs8EX5t5
1oTXi/uzEMwEYbJcSOzwm3nDavhxJvibGQiRiYgQJaT7ckt0/Pvq1qH1514jWFhj
CTGMu145VGLoYYx1BjAO8eHQFRbvBct+0C8aBYXzq+rTDZXf+7h/OkVu7OQDgNHM
HAsiJ8SnUrXykHAE5sMnywI8atAdD9QAGp0aQ3MABxmKX1ZJ9qS/Qv+OfFEJH44U
G3ZWM9JLwdbmyFOWOrVlhpmpHaFdKTUSC6gpihyR4g5F+KdR5NMnUv3W52S9jzAh
7zFpM8sUtFsY4+Wta7HTaBTh1gATuQ==
=zzq2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.