1 |
On 10/25/11 5:11 PM, Rich Freeman wrote: |
2 |
> And "Debian is doing it" or whatever isn't actually a bad reason to |
3 |
> consider this. When Debian does something by default, it means that |
4 |
> upstream packages will take notice. |
5 |
|
6 |
Right, I was thinking about the change for a long time, but if Debian, |
7 |
which advertises itself as stable and well-tested, thinks it's time to |
8 |
do it, then why should we stay behind? |
9 |
|
10 |
My primary motivation is doing the right thing, and linking to Debian's |
11 |
plans is one of my points to show that it makes sense. |
12 |
|
13 |
I think that generally just trying to patch detected vulnerabilities as |
14 |
soon as possible is not sufficient to stay reasonably secure. Mitigation |
15 |
techniques like SSP and ASLR are really important, because they give you |
16 |
more time to fix vulnerabilities (by making it harder to exploit them). |
17 |
|
18 |
And again, I don't suggest enabling anything by default that would |
19 |
degrade performance in an unacceptable way or create compatibility |
20 |
problems that can't be solved. And I'm also looking for a way that will |
21 |
provide a seamless upgrade path for existing users (i.e. one that |
22 |
doesn't break them). |