From owner-freebsd-security Mon Dec 16 11:21:09 1996 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id LAA25801 for security-outgoing; Mon, 16 Dec 1996 11:21:09 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id LAA25793 for ; Mon, 16 Dec 1996 11:21:05 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id MAA20323; Mon, 16 Dec 1996 12:20:41 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id MAA09461; Mon, 16 Dec 1996 12:18:39 -0700 (MST) Date: Mon, 16 Dec 1996 12:18:39 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Adam Kubicki cc: freebsd-security@freebsd.org Subject: Re: why is -stable not secure? In-Reply-To: <199612161654.IAA16978@freefall.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Because no one has put them there. They can be there the second after they are in -current if they are put there; that happens when the person committing them feels confident enough in the patch and has the time to. If you think that the holes discovered in -stable (or current, for that matter) are anywhere near all of them, think again. I would bet that if someone wanted to find a hole to exploit, they would simply have to look over the OpenBSD CVS logs to find dozens. These should be integrated into FreeBSD. When will they? When someone has time. I don't have any more powers than you, but I probably would have had someone commit this fix to -stable within the next few weeks; it is one of the fixes I have sitting around to be commited to various branches that I haven't got around to putting together yet. Most of these problems require little knowledge to find and little knowledge to fix. In fact, things would be helped if someone sat watching the freebsd-cvs-all list which details all the CVS changes and, if you see an important security fix come through that doesn't get commited to -stable, gently prod the person who commited it to -current to commit it to -stable if possible. Now it is even worse than before; there are now three different trees; -current (3.0), 2.2, and 2.1. Don't underestimate the work it takes to keep things together when you have three different places to fix. If there is someone interested in keeping -stable up to date in this way, perhaps they could take on an informal role of keeping it up to date with things like this; find a commiter who will take patches from you that you pull from -current and put into -stable. On Mon, 16 Dec 1996, Adam Kubicki wrote: > hi, > > I'd like to ask why patches included in -current aren't in -stable > version? There are few serious bugs (security too) fixed in -current but not > in -stable. How long it takes to move patches to -stable source tree?? > > -adam >