oss-sec mailing list archives
Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz
From: Moritz Muehlenhoff <jmm () inutil org>
Date: Sat, 22 Jun 2019 00:05:02 +0200
Simon McVittie wrote:
If upstream projects have a stable branch that is genuinely stable and bugfix-only to minimize the risk of regressions, and encourage downstream distributions to align on the latest stable branch during their development phase, then I think that goes a long way towards this. If I understand correctly, PostgreSQL is one of the canonical examples of a project that does this, and gets its upstream point releases included in stability-focused projects like Debian as-is.
Exactly, other examples where Debian ships upstream stable branches when updating a stable/oldstable release (via security.debian.org or point releases) out of the top of my head are: - ffmpeg - Firefox ESR - Linux (follows upstream LTS branches) - MariaDB - Mediawiki - OpenJDK - OpenSSL - PHP - Thunderbird ESR - VLC - Wireshark - Xen It has served us very well overall and it's considered on a case-by-case basis; e.g. whether upstream releases in those long term branches are sufficiently vetted/regression-tested. Cheers, Moritz
Current thread:
- Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alex Gaynor (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Greg KH (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Yves-Alexis Perez (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Simon McVittie (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Moritz Muehlenhoff (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Ian Zimmerman (Jun 21)
- Re: Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Simon McVittie (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Yves-Alexis Perez (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Greg KH (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Yves-Alexis Perez (Jun 21)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Greg KH (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alex Gaynor (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Bob Friesenhahn (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz David A. Wheeler (Jun 15)
- Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz Alan Coopersmith (Jun 15)