Imminent release of 2.2.5 and 3.0.3
Phil Mayers
p.mayers at imperial.ac.uk
Thu Apr 17 15:50:17 CEST 2014
On 17/04/14 01:09, Arran Cudbard-Bell wrote:
> Their arguments for applying patches to already released systems are
> bullshit. It makes it impossible to tell whether a given version of
> a library has the correct fixes applied.
Many, many people pay considerable quantities of money for long-term
distros to do *exactly* what you're criticising.
Personally I think the LTS distros provide a really useful buffer
between open source projects and customers. This allows the project to
proceed at the pace they want, and LTS customers to PAY someone to do
the boring work of keeping an older, stable version secure against newly
discovered bugs.
I wonder if this checking for "bad" libraries inside FR is really useful
or appropriate, especially if it's causing you major hassles. It's not
obvious to me why OpenSSL is special - where's the blacklist for glibc
or libpq or $whatever? Are other projects doing this?
I think you guys already do more than enough - way more than most
projects - to provide long-term stable releases. I don't think you need
to do more, and I certainly don't think you need to be cleaning up
OpenSSL's mess. That way lies moral hazard!
Just my €0.03
More information about the Freeradius-Users
mailing list