top | item 32943948

(no title)

Generally, distros supply security updates. For example, Debian picks a version for a release and makes sure it has security updates for the entire release. Sometimes this requires backporting patches because the version is no longer supported upstream. This means an app can be shipped that will work for the life of the release without changes, while staying secure.

discuss

iudqnolq|3 years ago

In theory, yes. In practice I'm very skeptical that maintainers can correctly backport patches without having a solid understanding of the source code. And I'm skeptical that maintainers can have a solid understanding of the source code without reading a substantial portion of it, and I know they haven't got the time to do that.

openmapsguy|3 years ago

I’m sure what you’re saying happens. There’s 1000s of packages with maintainers of varying skill.

That said the track record speaks for itself. I can only remember one time a maintainer introduced a vuln in Debian. The system works even though you’ll find cracks if you look.