LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Shuttleworth: Not convinced by rolling releases

Shuttleworth: Not convinced by rolling releases

Posted Mar 9, 2013 4:45 UTC (Sat) by Cyberax (✭ supporter ✭, #52523)
In reply to: Shuttleworth: Not convinced by rolling releases by HenrikH
Parent article: Shuttleworth: Not convinced by rolling releases

So you need to provide a way to automatically update packages if there's a security update. It just needs not to be linked to the OS version.

AppStores on Mac and Windows do this just fine.

(Log in to post comments)

Shuttleworth: Not convinced by rolling releases

Posted Mar 10, 2013 2:39 UTC (Sun) by HenrikH (guest, #31152) [Link]

Which means that as a developer I either have to bundle or link static with all the external libraries that I use/need and thus have to monitor them each for security/bug fixes. And as a user I have to hope and pray that the developers of the app in question does just that.

On Linux I just have to release my deb or rpm and the distribution will take care of the rest. Of course this only works for libraries included in the dustribution, but imho it's still a much improved situation.

Shuttleworth: Not convinced by rolling releases

Posted Mar 10, 2013 8:32 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link]

I used to think like that a couple of year ago.

However, the amount of apps hacking through vulnerable bundled libraries is fairly small. Sometimes attacker might get lucky with the "perfect storm" like the gdiplus vulnerability in Windows. But most of the time, inhomogeneity plays against the attacker in this case - it's hard to write an exploit that would work against several slightly different versions of libraries.

Then there's a question of applications themselves. I think we all can assume that stuff like Word or OpenOffice is probably riddled with undiscovered security holes. Never mind less popular software like Okular or Krita.

So IMO it's better to treat ALL applications as possibly hostile and contain them in various sandboxes as much as possible.

Shuttleworth: Not convinced by rolling releases

Posted Mar 10, 2013 17:43 UTC (Sun) by aoeu (guest, #84301) [Link]

That's a lot of effort just to help your users roll back instead of reporting bugs. And at least from my (limited) POV debian already does a decent job of providing both an old and a new version when drastic or religious changes have been made.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds