▲ | sugarpimpdorsey 3 days ago | |
> XZ has nothing to to with a lack of vetting and even if it was it would be an argument for it because it got caught in testing. This is absolutely false, it was not caught in any sort of regular testing whatsoever. It was caught by - of all people - a Microsoft employee who noticed SSH logins were taking a split second too long. Not distro packagers. The packages were already staged in the testing branches of the distros they were targeting and could have easily made it into the LTS versions had this one curious MS guy not noticed. | ||
▲ | bayindirh a day ago | parent | next [-] | |
> could have easily made it into the LTS versions had this one curious MS guy not noticed. LTS doesn't mean set in stone. Debian publishes fixes within 24 hours in most cases, even if the upstream doesn't provide any, plus some packages come with Debian's own security patches on top of upstream patches. Linux security landscape is very different than Windows' central "we'll patch it when we patch it" stance. | ||
▲ | akimbostrawman 3 days ago | parent | prev [-] | |
>This is absolutely false, it was not caught in any sort of regular testing whatsoever >The packages were already staged in the testing branches Thanks for making my argument for me. It was also literally caught in (Debian) TESTING. It does not matter for who he works unless you believe a cooperation owns there employees time and achievements 24/7. He notices something off, tested it, looked at the source code (impossible on windows ;) and reported the issue he found which got quickly and transparently (also impossible on windows) fixed. Again that is how FOSS should work and why it's superior to proprietary software. |