tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Switch vulnerable packages to a warning only

On Thu, May 21, 2020 at 05:52:58PM +0100, Jonathan Perkin wrote:
 > And even if they get bootstrapped, they aren't going to get very far:
 >   Package icu-66.1 has a integer-overflow vulnerability
 >   Package libxml2-2.9.10nb1 has a buffer-overflow vulnerability
 >   Package perl-5.30.2 has a symlink-attack vulnerability
 >   Package python27-2.7.18 has a denial-of-service vulnerability
 >   Package python37-3.7.7 has a crlf-attack vulnerability
 >   Package python37-3.7.7 has a denial-of-service vulnerability
 >   ...
 > It's a nice idea, but with the current state of affairs it's
 > completely unrealistic as an option, and certainly as a default one.

Yeah, this.

I think it would be great if we managed to get back to a state where
these warnings only cropped up occasionally, but that's a heck of a
lot of work (both for us and a lot of upstreams) and the deluge of
minor bugs that are branded "vulnerabilities" is not likely to slack
off anytime soon.

David A. Holland

Home | Main Index | Thread Index | Old Index