|
From: | Mark Brand |
Subject: | Re: [Mingw-cross-env-list] gnutls |
Date: | Tue, 07 Dec 2010 09:22:08 +0100 |
User-agent: | Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101026 SUSE/3.1.6 Thunderbird/3.1.6 |
On 12/07/2010 12:59 AM, Volker Grabsch wrote:
Mark Brand<address@hidden> schrieb:I'm just wondering if we might want to "sneak" an upgrade to gnutls 2.10.4 into the coming 2.17 release.No, let's put this into the next release. With> 100 packages, there'll always be some package that provides a new release during our freezing phase. In the past I included such upgrades right in the middle of our testing phases, which caused even bigger delays in our releases, so that other packages could be upgraded, and so on. I'm trying to break the cycle by having stricter freezes and by making releases more often. BTW, I'm also having a new great package in the pipeline that I'd like to add to mingw-cross-env, but this will have to wait until after the release, too.
Right, I understand the principle. The only reason I asked about this specific case was that it involves a security issue in a library that many other packages depend on. I don't know if this particular security issue actually creates exploitable holes in applications built with mingw-cross-env, but it still seems like there is an important question about whether mingw-cross-env release planning should bend for package security updates. The concern is that a release with a serious known vulnerability might not be very useful anyway.
Mark
[Prev in Thread] | Current Thread | [Next in Thread] |