Web lists-archives.com

Re: Mitigating the problem of limited security support




On Sun, May 28, 2017 at 09:32:23PM -0400, Jeremy Bicha wrote:
> > The good news is that the first kind of problems are detected and
> > fixed immediately, so waiting a couple of weeks before uploading
> > the releases to debian-security could be an option (is that what
> > Ubuntu does?).
> 
> For the past 9 months, the development version of Ubuntu tests the
> beta versions of the new major webkit2gtk release (for instance
> Zesty tested the 2.15.90 releases). This has been useful in catching
> regressions before they ever hit a stable webkit2gtk release.
> 
> If a webkit2gtk release fixes publicized CVEs, the release is now
> pushed as a security update into Ubuntu Stable Releases fairly
> quickly.

The problem is that point releases with fixes for CVEs can also
introduce regressions (#855103, introduced in 2.14.4). That one was
fixed quickly, though, but that's why I was asking.

Berto