| 1 |
On 10/25/11 5:11 PM, Rich Freeman wrote: |
| 2 |
> And "Debian is doing it" or whatever isn't actually a bad reason to |
| 3 |
> consider this. When Debian does something by default, it means that |
| 4 |
> upstream packages will take notice. |
| 5 |
|
| 6 |
Right, I was thinking about the change for a long time, but if Debian, |
| 7 |
which advertises itself as stable and well-tested, thinks it's time to |
| 8 |
do it, then why should we stay behind? |
| 9 |
|
| 10 |
My primary motivation is doing the right thing, and linking to Debian's |
| 11 |
plans is one of my points to show that it makes sense. |
| 12 |
|
| 13 |
I think that generally just trying to patch detected vulnerabilities as |
| 14 |
soon as possible is not sufficient to stay reasonably secure. Mitigation |
| 15 |
techniques like SSP and ASLR are really important, because they give you |
| 16 |
more time to fix vulnerabilities (by making it harder to exploit them). |
| 17 |
|
| 18 |
And again, I don't suggest enabling anything by default that would |
| 19 |
degrade performance in an unacceptable way or create compatibility |
| 20 |
problems that can't be solved. And I'm also looking for a way that will |
| 21 |
provide a seamless upgrade path for existing users (i.e. one that |
| 22 |
doesn't break them). |
Archives