tag:blogger.com,1999:blog-7523589.post5583350840139532802..comments2024-02-20T19:17:55.835+01:00Comments on TSDgeos' blog: The dangers of stable/LTS/supported versionsAlbert Astals Cidhttp://www.blogger.com/profile/12001470108926138921noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-7523589.post-5271019089956592562016-12-09T23:12:59.479+01:002016-12-09T23:12:59.479+01:00@tosky: So you suggest I do a CVE saying: "pe...@tosky: So you suggest I do a CVE saying: "people have told me that if I have a crash i have a security vulrenability". Doesn't sound very professional tbh.Albert Astals Cidhttps://www.blogger.com/profile/12001470108926138921noreply@blogger.comtag:blogger.com,1999:blog-7523589.post-72428538216608246602016-12-09T23:11:37.167+01:002016-12-09T23:11:37.167+01:00@David: Off topic, so it's my last comment abo...@David: Off topic, so it's my last comment about it here, but if it needs a wiki is not trivial, trivial is "sudo apt-get install qtbase5-dbg"Albert Astals Cidhttps://www.blogger.com/profile/12001470108926138921noreply@blogger.comtag:blogger.com,1999:blog-7523589.post-33057385589416733752016-12-09T22:15:05.570+01:002016-12-09T22:15:05.570+01:00Iirc you don't need a reproducer to create a C...Iirc you don't need a reproducer to create a CVE, but I can ask.toskynoreply@blogger.comtag:blogger.com,1999:blog-7523589.post-24208390547739456182016-12-09T18:21:03.755+01:002016-12-09T18:21:03.755+01:00ArchLinux is aimed at users who are able to build ...ArchLinux is aimed at users who are able to build a debug package for themselves if they need one. It's trivial with Arch.Anonymoushttps://www.blogger.com/profile/07188174032606391562noreply@blogger.comtag:blogger.com,1999:blog-7523589.post-31774445277918871722016-12-07T20:07:20.149+01:002016-12-07T20:07:20.149+01:00@Cedric: ArchLinux has it's own set of problem...@Cedric: ArchLinux has it's own set of problems (no debug packages still, come on) but this one is indeed not one of themAlbert Astals Cidhttps://www.blogger.com/profile/12001470108926138921noreply@blogger.comtag:blogger.com,1999:blog-7523589.post-56858683362609249262016-12-07T20:06:21.368+01:002016-12-07T20:06:21.368+01:00@Anonymous: The base that KDE neon uses is less ba...@Anonymous: The base that KDE neon uses is less bad, since it's the newer Ubuntu LTS and it's not a 3 year old release. As you saw basically every single "stable" distro is a problem. I was not involved in the choose of base distribution for KDE neon, I am sure they had good reasons, as said the world is not perfect.Albert Astals Cidhttps://www.blogger.com/profile/12001470108926138921noreply@blogger.comtag:blogger.com,1999:blog-7523589.post-31687105089352139862016-12-07T20:04:23.708+01:002016-12-07T20:04:23.708+01:00@tosky: That's also part of the fun, according...@tosky: That's also part of the fun, according to "security researchers" every crash is exploitable, so every crash would need a CVE.<br /><br />But every time i ask for an actual exploit they all go "Trust us" or "Are you saying you will ignore a crash unless it's exploitable" or some similar stuff, basically degrading their own "this is exploitable" claim by never ever providing proff that stuff is exploitable, so I've obviously decided not to care about creating new CVEs for every single crash we fix.Albert Astals Cidhttps://www.blogger.com/profile/12001470108926138921noreply@blogger.comtag:blogger.com,1999:blog-7523589.post-67986021646237564242016-12-07T13:50:46.658+01:002016-12-07T13:50:46.658+01:00ArchLinux is the way to go... ;)ArchLinux is the way to go... ;)Cédric Bellegardehttps://www.blogger.com/profile/12036861824653632379noreply@blogger.comtag:blogger.com,1999:blog-7523589.post-10528716230142485572016-12-07T12:02:19.644+01:002016-12-07T12:02:19.644+01:00So why does KDE neon use ubuntu as base? ... they ...So why does KDE neon use ubuntu as base? ... they dont even ship bugfixreleases if they are available, universe and multiverse is technically a fat, dead securityhole after release and thanks to canonical it'll move to a completely different path (MIR) than Plasma does with wayland?<br /><br />Seems thats the KDE where one end calls it bad to use a stable release because of _good reasons_ and the other end builds the whole kde distro on top of the worst of all stable release distros... good PR.. very good PR,,,,Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7523589.post-39470920329373648212016-12-07T10:39:25.237+01:002016-12-07T10:39:25.237+01:00Plasma LTS is upstream, devs will backports fixes ...Plasma LTS is upstream, devs will backports fixes from 5.9+ to 5.8 but not new features.<br />In my opinion a distro should backport fixes if it decides to ship older version of software.<br />Having LTS releases is a good thing for both upstream and downstream, but here distro are not doing it well, imho.Anonymoushttps://www.blogger.com/profile/07225138358995491509noreply@blogger.comtag:blogger.com,1999:blog-7523589.post-40890750599975595362016-12-07T09:13:17.873+01:002016-12-07T09:13:17.873+01:00If the issue is worth a CVE, then it's on the ...If the issue is worth a CVE, then it's on the queue for a quick backport of the fix.<br /><br />The version number does not consider the patches included; you check the changelog for that.toskynoreply@blogger.comtag:blogger.com,1999:blog-7523589.post-77156791774801581722016-12-07T09:02:09.615+01:002016-12-07T09:02:09.615+01:00Then why did Plasma team decided that they had to ...Then why did Plasma team decided that they had to ship an LTS release?Sudhir Khangerhttp://sudhirkhanger.comnoreply@blogger.comtag:blogger.com,1999:blog-7523589.post-20316542822080390782016-12-07T01:55:42.308+01:002016-12-07T01:55:42.308+01:00Well, it is even worse with Partition Manager. Deb...Well, it is even worse with Partition Manager. Debian jessie ships 1.0.3 which is about 6 years old... Well, hopefully I'll be able to convince them to upgrade it for stretch...Andriusnoreply@blogger.com