If there is a vulnerability with no upstream release, we will almost always patch, but only the version in current (ie. we won't touch the release repo).
An Arch release is just a snapshot of all the packages in current when we decided to make the release. In that way there is no back-porting of security patches to the release repo (see the mention of a possible stable repo above). Sometimes we release beta cds, but those are mostly to test the install procedure, as opposed to the packages. The packages should have had lots of testing while in current.
]]>We don't release a lot of security alerts... we just release a new version and keep going...
Doesn't this mean if you want to set up a secure server, Arch is a no go? I've been wondering about this for quite a while, because I was trying to make up my mind whether I should convert my FreeBSD server to Arch.
But now I know I'm not going to (yet), for the follwoing reasons:
- Arch doesn't really seem to care about security vulnerabilities, which is, to a centain extend, acceptable on a desktop, but not on a server.
- Arch doesn't pay much attention to stable releases. As Judd has said before, Arch doesn't focus on perfect releases, but on a perfect (-current)tree. This means no real bèta/RC testing, which makes even the 0.x releases unsuitable for server use, imho.
I think Arch should pay more attention to stable/server releases and security issues in general.
]]>This sort of thing doesn't need to be overly complicated either,,, arch is simple,, and should most definitely stay that way ;-)
I'm willing to give up some time to this task if need be... For me, personally, this type of advisory system would help a lot, and would save me some unnecessary worries.
Take care,
ns
See, every day or few days, or whatever, all you need to do is type "pacman -Syu" which checks for updates on every package you have installed. If there are ever any security issues, there are new packages created ASAP, and they will be automatically updated with the above command. No need to read any mailing list or anything.
Hapy.
]]>We don't release a lot of security alerts... we just release a new version and keep going...
]]>I just had a look at the main page (www.archlinux.org), but see that there seems to be only 1 general mailing list. Where do the advisories go to? To this forum only? is it possible to set up a separate security advisory (or security discussion, depending on the goals of the admins and stuff) mailing list for this?
]]>