Ubuntu's QA and skills at patching

[danimoth]

Hi Cathal,

I do not want to start a flame-war, just my opinions inline.

On 13/10/14 at 08:08pm, Cathal Garvey wrote:
> What's the security trade-off of using Arch, which gets the latest
> patches and seemingly likes to rely on developers' repos, versus getting
> the latest builds with new and exciting bugs?

You're assuming that new releases == new bugs, my assumption is new
releases == new bugs fixed.
You're right (in a general sense) when the updated software has new
features; new features have always new bugs (but major number version
advancement does not often happen).

> That is, Debian has a "stable" branch that is, to most people,
> excessively so. But security wise, you're pretty sure it's got less
> vulns than their "testing" branch. How does this compare to Arch, which
> goes for bleeding edge and unashamedly breaks now and then?

What I really hate is the "I'm better than developers" mentality. What I
want is using the lastest version from official developers (e.g.
lastestes version of OpenSSL, right now at 1.0.1i) and not an old
version patched with pieces of code taken from later releases (e.g.
OpenSSL 1.0.1e in Wheezy). The focal point is really simple: I do not
trust packagers which heavily edit the software they are packaging
(Debian, Arch, Mint.. no differences here) because I consider the
software developers the only ones which can "safely" (<-- take it with a
grain of salt) make modifications to their software.

D.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20141014/565d39f5/attachment-0002.sig>