On 17/04/14 01:09, Arran Cudbard-Bell wrote:
Their arguments for applying patches to already released systems are bullshit. It makes it impossible to tell whether a given version of a library has the correct fixes applied.
Many, many people pay considerable quantities of money for long-term distros to do *exactly* what you're criticising. Personally I think the LTS distros provide a really useful buffer between open source projects and customers. This allows the project to proceed at the pace they want, and LTS customers to PAY someone to do the boring work of keeping an older, stable version secure against newly discovered bugs. I wonder if this checking for "bad" libraries inside FR is really useful or appropriate, especially if it's causing you major hassles. It's not obvious to me why OpenSSL is special - where's the blacklist for glibc or libpq or $whatever? Are other projects doing this? I think you guys already do more than enough - way more than most projects - to provide long-term stable releases. I don't think you need to do more, and I certainly don't think you need to be cleaning up OpenSSL's mess. That way lies moral hazard! Just my €0.03