I think the point Willy tried to make is that it should be handled the same way 
regardless of being a security patch or not. All fixes are important - so see 
them as "security" fixes for bugs if you like.

On 06/11/2019, 10.04, "apcoeproductnotificati...@wellsfargo.com" 
<apcoeproductnotificati...@wellsfargo.com> wrote:

    Hi Willy,
    
    Thanks for the info but honestly I am not focusing only on security fix, I 
need confirmation whether 2.0.8 is security patch or discretionary patch so 
that I can work on it accordingly  on the basis of patch type.
    
    Regards,
    Anurag
    
    
    -----Original Message-----
    From: Willy Tarreau <w...@1wt.eu> 
    Sent: Wednesday, November 6, 2019 2:15 PM
    To: APCoE Product Notifications <apcoeproductnotificati...@wellsfargo.com>
    Cc: xro...@gmail.com; haproxy@formilux.org; Na, Anurag 
<anurag...@wellsfargo.com>
    Subject: Re: Product Info
    
    On Wed, Nov 06, 2019 at 08:09:55AM +0000, 
apcoeproductnotificati...@wellsfargo.com wrote:
    > Hi Rob/Thomas,
    > Good day!!
    > 
    > Thanks for the update, so as per the link the current patch is 2.0.8 
    > released on 23-10-2019, request you to please confirm whether this 
    > patch is also a security patch and fixing any vulnerability (please 
    > provide CVE if available) or not as it has one major bug fix in the 
release notes.
    
    Well, it was marked security since considered as such by the reporter 
eventhough it requires you to use a vulnerable server and to purposely write a 
bogus configuration, so my personal opinion on it is that it's very minor 
compared to all the issues we fix on a daily basis.
    
    In addition, please note that ALL FIXES ARE IMPORTANT and that if you're 
trying to only pick fixes explicitly marked as security, you'll end up with the 
most bogus load balancer on earth, and you'd rather not do this at all if you 
care for your site's availability.
    
    Focusing on CVEs only is part of what Linus Torvalds calls the "security 
circus" and I fully agree with him on that, considering how harmful most bugs 
can be for production and which are dropped by people focusing on CVE only and 
who instead pick irrelevant stuff because these have a "security"
    sticker. Also please have a look at this presentation by GregKH explaining 
the ridiculous situation we've reached with CVE nowadays:
    
        
https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/
    
    In short if you're wondering what patch to pick, you WILL eventually cause 
some disaster on your production that only YOU will be responsible for, by 
having deliberately rejected important fixes. You'd rather rely on up-to-date 
releases, either from sources if you build yourself, or from distro maintainers 
if you prefer to use pre-built packages. The project maintainers devote a lot 
of time maintaining stable branches containing only fixes precisely so that 
nobody has to duplicate this boring and dangerous job.
    
    Note that if you fear regressions, it's normal. Nobody likes to face them. 
In this case, just wait one week or even one month for others to deploy a new 
version before you do so, and you'll know if you're taking any risk. Everyone 
does this depending on the criticity. What is certain is that by not updating 
you're taking the risk to hit any of the hundreds of bugs that are known and 
fixed upstream.
    
    Willy
    
    

Reply via email to