oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Thousands of vulnerabilities, almost no CVEs: OSS-Fuzz

From: Moritz Muehlenhoff <jmm () inutil org>
Date: Sat, 22 Jun 2019 00:05:02 +0200
Simon McVittie wrote:

If upstream projects have a stable branch that is genuinely stable
and bugfix-only to minimize the risk of regressions, and encourage
downstream distributions to align on the latest stable branch during
their development phase, then I think that goes a long way towards this.
If I understand correctly, PostgreSQL is one of the canonical examples of
a project that does this, and gets its upstream point releases included
in stability-focused projects like Debian as-is.


Exactly, other examples where Debian ships upstream stable branches
when updating a stable/oldstable release (via security.debian.org or
point releases) out of the top of my head are:

- ffmpeg
- Firefox ESR
- Linux (follows upstream LTS branches)
- MariaDB
- Mediawiki
- OpenJDK
- OpenSSL
- PHP
- Thunderbird ESR
- VLC
- Wireshark
- Xen

It has served us very well overall and it's considered on a case-by-case
basis; e.g. whether upstream releases in those long term branches are
sufficiently vetted/regression-tested.

Cheers,
        Moritz
Previous By Date Next
Previous By Thread Next

Current thread: