oss-sec mailing list archives
Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz
From: Yves-Alexis Perez <corsac () debian org>
Date: Fri, 21 Jun 2019 17:41:49 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Fri, 2019-06-21 at 11:53 +0200, Greg KH wrote:
So it's a matter of "do I live with all of the bugs that everyone else knows about and how to exploit, or do I live with a potential regression?" That sounds like an easy choice given that the reason you should be updating is to resolve all of those known bugs :)
I'm not really talking about potential regressions: I'm talking about real functional changes that the end-user doesn't expect (nor want) in a stable release. Backporting is often a pain, but full throttle to latest release also has a burden (for the end-user, for the distributor and so on). It really depends on the project (and I don't want to point fingers, it's not the point).
Regressions always happen, we are human, but there are ways to mitigate them (testing, roll-back, preventing developers from not breaking things on purpose, etc.) And projects that do not do this type of work to prevent regressions need to learn that they should change, or users will go elsewhere.
But then again the question is, who do the work (of backporting, regression testing, etc.) And again it's not always about bugs, it might very well be that there's a user interface change requiring a lot of documentation updates downwards, a dependency chain update or whatever. There might be good reasons for stability, even besides not introducing new bugs, that was just my point. Regards, - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAl0M+r0ACgkQ3rYcyPpX RFtnkAgAvxwmpnFT0hKbZViUO1j9BBkNo5KUhUMKs86OKSLGTQQNFfTMBs8EX5t5 1oTXi/uzEMwEYbJcSOzwm3nDavhxJvibGQiRiYgQJaT7ckt0/Pvq1qH1514jWFhj CTGMu145VGLoYYx1BjAO8eHQFRbvBct+0C8aBYXzq+rTDZXf+7h/OkVu7OQDgNHM HAsiJ8SnUrXykHAE5sMnywI8atAdD9QAGp0aQ3MABxmKX1ZJ9qS/Qv+OfFEJH44U G3ZWM9JLwdbmyFOWOrVlhpmpHaFdKTUSC6gpihyR4g5F+KdR5NMnUv3W52S9jzAh 7zFpM8sUtFsY4+Wta7HTaBTh1gATuQ== =zzq2 -----END PGP SIGNATURE-----
Current thread:
- Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alex Gaynor (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Greg KH (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Yves-Alexis Perez (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Simon McVittie (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Moritz Muehlenhoff (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Ian Zimmerman (Jun 21)
- Re: Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Simon McVittie (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Yves-Alexis Perez (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Greg KH (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Yves-Alexis Perez (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Greg KH (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alex Gaynor (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz David A. Wheeler (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alan Coopersmith (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 16)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Solar Designer (Jun 16)