Bitten by old bugs
Posted Aug 15, 2003 13:57 UTC (Fri) by pimlott
In reply to: Bitten by old bugs
Parent article: Bitten by old bugs
This is absolutely true, and I'm glad you've explained it so well. This idea of backporting only "security" fixes sounds like a prudent engineering principle, but the reality is far less pretty. As you said, there's just no way that all fixed bugs can be evaluated for their potential exploitability, and missing just one is enough.
Furthermore, running a patched older version leaves you running a configuration that nobody upstream is even thinking about. It's like taking a boat out without telling anyone. With the current version, you have a whole community watching your back. (Say a bug is found in the current version that happens not to be exploitable because of some other change since your version. Is anyone going to tell you?)
In practice, the best software development teams (and I'm not just talking about OpenBSD) have a simple "don't leave bugs open" discipline. You take some risk by continuously fixing bugs, but with a little intelligence, the risk is very small and entirely acceptible. And the benefits are, of course, in more than security: every bug hit is an alienated user.
Frankly, many small projects don't even really need separate stable branches, because even "development" releases are highly unlikely to break anything. That said, bigger, more complex projects should have stable branches on which bugs are fixed aggressively. If they don't, the distributions should pick up the slack, but they should encourage upstream to do it, so there are more hands and eyes involved, and the whole user base benefits.
The OpenBSD guys ought to be among the most qualified to distinguish "security" bugs from other bugs, and even they don't do it. Debian shouldn't either.
to post comments)