| ▲ | cperciva 10 hours ago |
| Debian is probably the best of all the Linuxes, but still suffers from split-brain: If patches are sent upstream first, Debian can't start digesting them until they're already public. With FreeBSD there's never any question of "who should this get reported to". |
|
| ▲ | JoshTriplett 9 hours ago | parent [-] |
| > Debian can't start digesting them until they're already public Not sure what you mean by this. Debian is able to handle coordinated disclosures (when they're actually coordinated), and get embargoed security updates out rapidly without breaking the embargo. Is there some other aspect of this that you're referencing? |
| |
| ▲ | cperciva 4 hours ago | parent | next [-] | | The key words there are "when they're actually coordinated". Debian doesn't own the Linux kernel, and the kernel developers don't bother with coordinated disclosure, so the happy path of coordinated disclosure only happens when reporters make the non-obvious choice of reporting vulnerabilities to people other than the maintainers. | | |
| ▲ | JoshTriplett 3 hours ago | parent [-] | | Fair enough; yeah, at the point where the embargo failed, it was important that patches get to distros as fast as possible in order to ship the fixes. |
| |
| ▲ | pavon 6 hours ago | parent | prev [-] | | The fact that the kernel security team has decided coordinating disclosure is someone else's problem so it happens inconsistently. |
|
