HackerLangs
TopNewTrendsCommentsPastAskShowJobs

stefanor

no profile record

comments

stefanor
·2 mesi fa·discuss
The Linux project's view is that almost all kernel bugs are security vulnerabilities. They don't treat something like this as anything special.

I can understand that PoV, but it doesn't fit with distributions' approach to security. So, in practice, one has to reach out to distributions individually, or use distros lists on openwall.org to coordinate with all distros.
stefanor
·2 mesi fa·discuss
As far as we can tell, nobody disclosed it to the distributions, only to the kernel security team (who did not reach out to distributions). So the distributions are all scrambling now.

Good lesson in how not to do disclosure.
stefanor
·2 anni fa·discuss
Debian has epochs, but it's a bad idea to use them for this purpose.

Two reasons:

1. Once you bump the epoch, you have to use it forever. 2. The deb filename often doesn't contain the epoch (we use a colon which isn't valid on many filesystems), so an epoch-revert will give the same file name as pre-epoch, which breaks your repository.

So, the current best practice is the +really+ thing.