LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

OpenSSH bug falls through the cracks

OpenSSH bug falls through the cracks

Posted Apr 10, 2008 5:47 UTC (Thu) by Wummel (subscriber, #7591)
Parent article: OpenSSH bug falls through the cracks 

> The OpenSSH team would be well served by paying closer attention
> to various distribution patches to their code as well
Unfortunately tracking distribution patches is not very easy. There is no common interface
which has a list of patch files for a package.

Upstream authors must either look through the different bug report interfaces, or download the
package source and look for applied patches. Additionally there are lots of different patch
systems (eg. Debian has dpatch, quilt, dbs, simple-patchsys, or just no system at all ;).

So in most cases, I believe upstream authors trust distribution maintainers to do the right
thing and send a copy of patches to the author or the mailing list.

(Log in to post comments)

OpenSSH bug falls through the cracks

Posted Apr 10, 2008 7:24 UTC (Thu) by smithj (subscriber, #38034) [Link] 

> Unfortunately tracking distribution patches is not very easy. There is no 
> common interface which has a list of patch files for a package.

http://oss-security.openwall.org/wiki/distro-patches

OpenSSH bug falls through the cracks

Posted Apr 10, 2008 22:57 UTC (Thu) by roelofs (guest, #2599) [Link]

http://oss-security.openwall.org/wiki/distro-patches

Ooo, very handy--thanks!

Greg

OpenSSH bug falls through the cracks

Posted Apr 10, 2008 8:38 UTC (Thu) by DeletedUser32991 ((unknown), #32991) [Link]

Some distros offer people to subscribe to information related to a specific package, e.g. Debian with their package tracking system. This is not that hard to find and gives you all information from the distro side you'll ever need with just subscribing once, and many upstreams do subscribe for the benefit of all parties (including users, and upstreams that want to have more direct contact).

But then, OpenSSH and Debian might not have been too much of an example for good relations with distro maintainers before.

OpenSSH bug falls through the cracks

Posted Apr 14, 2008 17:26 UTC (Mon) by razholio (guest, #5706) [Link] 

In this case, debian is clearly not to blame, and the last time I remember Debian working with
OpenSSH on a serious security issue (circa 2003, I believe), OpenSSH gave them kudos for being
a very helpful and cooperative vendor.

OpenSSH bug falls through the cracks

Posted Apr 10, 2008 10:44 UTC (Thu) by epa (subscriber, #39769) [Link] 

Does Canonical's Launchpad offer a solution to this?

OpenSSH bug falls through the cracks

Posted Apr 10, 2008 20:45 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link] 

If it was available as Free software instead of a proprietary service, it will be much more
acceptable as a solution.

OpenSSH bug falls through the cracks

Posted Apr 11, 2008 18:55 UTC (Fri) by bronson (subscriber, #4806) [Link] 

Launchpad is proprietary.  The best it could offer is a temporary workaround.

And, alas, it doesn't appear to offer even that.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds