Hello TB-SUPPORT,
On Mon, 2005-11-28 at 12:22 +0000, Gordon, JC (John) wrote:
> So you are defining your own procedure and sticking to it? And thus
> requiring others to implement it. I think procedures should be agreed
> not imposed, or if they are imposed then by someone who has been given a
> mandate to impose.
Surely the way Alessandra described is the only sane way of managing
security fixes.
The only argument for fixing this with a hand-crafted patch is that this
is a one-off, and if this security fix *is* considered a "one-off" then
that speaks volume about the project's approach to security as a whole.
If I implement this one-off, I have no idea how long I need to be aware
of it for. If I put in a new R-GMA box how am I expected to know whether
the security fix has been included in a new package release or not. If a
new administrator is installing R-GMA, how are they supposed to know. If
I upgrade the using apt, how am I to know this has been fixed.
What about a hypothetical "security fix" that comes out tomorrow. Am I
supposed to start keeping track of all these myself? I am only (0.5
FTE!) one person... I do not have time.
At the moment, I think the only sensible thing for me to do as a system
administrator is turn off that service.
Cheers,
Andrew
|