[OpenIndiana-discuss] OI roadmap (for production)
Bob Friesenhahn
bfriesen at simple.dallas.tx.us
Mon Dec 7 18:31:20 UTC 2015
On Mon, 7 Dec 2015, Tim Mooney wrote:
>
> What would help me (and hopefully others) is if there were documentation
> on how we can verify whether an OI /dev package includes a particular
> patch. Does that documentation exist?
>
> Part of the issue is that if I run the software update utility or pkg
> update and there haven't been any package updates in months, it's hard
> to know whether a particular vulnerability has been patched. At least
> on Linux, it's very easy to go back to the vendor package source and
> check to see if a particular patch is included.
>
> Take libpng for example. The latest OI /dev ships is 1.4.12. Everything
> before 1.4.17 is vulnerable to CVE-2015-7981 and CVE-2015-8126. Let's
> say that I had just installed a8 today and then updated to a9, so I didn't
> know whether libpng had been patched or not. How would I check?
Given the development model of OpenIndiana, I think that it is much
more likely that the software version is updated based on a formal
upstream release rather than a security issue being fixed via a patch.
Only really extreme security issues or well-known issues in valuable
unmaintained projects are likely to be fixed via a patch.
OpenIndiana is not going to be prepared any time soon to provide
security fixes in the way that Red Hat or Debian are able to provide.
Bob
--
Bob Friesenhahn
bfriesen at simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
More information about the openindiana-discuss
mailing list