matthew at linuxfromscratch.org
Sun Oct 9 06:49:02 PDT 2005
Jeremy Huntwork wrote:
> I would like to make a formal request for a 6.1.1 release of the LFS
The glibc/openSSH issue is the only real candidate that would warrant a
6.1.1 release, IMO. The fact that some of our packages contain security
vulnerabilities is nothing new, can't be helped, and I thought it was a
generally accepted fact that folks following LFS should be able to track
(and fix) such vulnerabilities themselves anyway.
We've never made a release in the past purely to fix security
vulnerabilities, and I don't think we want to start heading down that
path now - we simply don't have adequate resources to do so. We've only
recently started tracking security vulnerabilities and other errata, and
I think that process serves adequately at least for the time being. I'd
even hesitate to say that it will serve its purpose for the glibc/ssh
issue too - I've certainly not seen it crop up regularly on the support
If we do release a 6.1.1, I think the approach we should adopt is:
1) Apply security patches to texinfo, util-linux, bzip2 and vim.
2) Upgrade perl and zlib to fix their respective security vulnerabilities
3) Patch glibc to fix the issue triggered by openSSH
4) Do something with the udev configuration vs. /etc/group conflict
reported in bug 1639.
More information about the lfs-dev