Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz

[Ian Zimmerman <itz () very loosely org>]

On 2019-06-21 10:57, Simon McVittie wrote:

> If upstream projects have a stable branch that is genuinely stable
> and bugfix-only to minimize the risk of regressions, and encourage
> downstream distributions to align on the latest stable branch during
> their development phase, then I think that goes a long way towards this.
> If I understand correctly, PostgreSQL is one of the canonical examples of
> a project that does this, and gets its upstream point releases included
> in stability-focused projects like Debian as-is.

Doesn't this simply shift the work of backporting ("crazy and bound to
always fail in the end") from the distro maintainer to the upstream
stable branch maintainer?  He/she is more like "midstream" working in
that role.

-- 
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.