On Tue, 2021-03-16 at 19:19 -0400, Mark H Weaver wrote: > That said, I strongly disagree that we should "never backport patches > ourselves in most cases". The only way to do that, while addressing > security flaws, would be to promptly update even our lowest-level > libraries in response to CVEs, of which there is a steady stream.
Fortunately I think that lots of these core package upstreams also have good CVE-issuance practices. For the Glib care in particular, I think they are good, I consider acceptable to backport patches, everyone is doing it, upstream is cooperative and works towards that same goal. To everyone else in general, I understand we have to ship a working system, and I want that too, that's why I said we should "strive" to, but it doesnt mean we should break things, of course. By that I mean that we shouldnt leave packages unmaintained without updates for too long even without CVEs or other security notices issued. At some point, if a package is of no use, no users show up and it's painful to update, we should also consider removing the package or archiving it in a third party channel we could create like "guix-archive", "guix-ugly" or "guix-love-me-please". Léo
signature.asc
Description: This is a digitally signed message part
