[Slackbuilds-users] Concerning: [slackware-security] pidgin (SSA:2012-195-02)

T3slider t3slider at gmail.com
Sat Jul 14 22:28:35 UTC 2012 

I personally keep any packages built by SBo SlackBuilds up to date with
the version hosted on slackbuilds.org (sbopkg makes this easy). If there
is reason not to for a specific application, then it is my job to make
sure it is patched. Other than that, SBo relies on its maintainers for
security updates (and version updates), and while I have a quick bash
script that lists the packages submitted to pending/approved that I
currently have installed (meaning there is an update waiting), I
generally depend on the maintainers to keep SlackBuilds up to date. My
opinion is that, if you are worried about security, you should keep up
with the latest package versions from SBo and if you're paranoid then
you can check versions submitted to pending/approved in case there is a
long wait before updates are pushed public. There should probably be a
bigger focus on pushing security updates public (from pending/approved)
versus simple version bumps, but that would be up to the admins I
suppose. If even that is not enough (if you're worried that maintainers
are falling behind) then you'd have to follow everything upstream, but
obviously there's not much SBo could do about that.

I find that the "Updates" e-mails on this list are sufficient for me to
go through and sbopkg makes identifying any updates to installed
packages easy enough for me to check. Of course, I wouldn't object to a
Slackbuilds-security mailing list or some such thing but I'm not sure it
would really be very effective given the current distribution of labour,
which relies heavily on the maintainers (who currently have low
accountability).

-T3slider

On Sat, Jul 14, 2012 at 02:48:31PM -0700, Bradley D. Thornton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
> 
> 
> 
> On 07/14/2012 11:49 AM, Slackware Security Team wrote:
> > 
> > [slackware-security]  pidgin (SSA:2012-195-02)
> > 
> > New pidgin packages are available for Slackware 12.2, 13.0, 13.1, 13.37,
> > and -current to fix security issues.
> 
> Something that I had thought about bringing up in the past but always
> ended up not being addressed due to other 'things' I needed to do...
> 
> Anyway, I was taken aback for a second when I got the email above, but
> only for a second. I had to think to myself, "Is Pidgin Mainline Slack?
> Oh yeah, it is.", that's why I'm getting the alert.
> 
> But there are plenty of SBo's that we don't get any sort of security
> notification on, and while it is prudent to follow the security lists
> for any such app that you install, I think that with regards to SBo's
> most of us don't follow the upstream devs security announcement lists.
> 
> Has there been any discussion on SBo providing links or any sort of
> distribution of security news or announcements for SBo's supported here?
> 
> IOW, once an SBo, say 'htop' goes mainline Slack, then security issues
> for that app are monitored by the Slackware team and we receive
> announcements via the Slackware Security list or via a tail of the
> Changelog.
> 
> So it may be a good thing if we had something like that here at SBo for
> announcements concerning SlackBuilds that are carried here.
> 
> Kindest regards,
> 
> 
> - -- 
> Bradley D. Thornton
> Manager Network Services
> NorthTech Computer
> TEL: +1.310.388.9469  (US)
> TEL: +44.203.318.2755 (UK)
> TEL: +41.43.508.05.10 (CH)
> http://NorthTech.US
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Find this cert at x-hkp://pool.sks-keyservers.net
> 
> iQEcBAEBAwAGBQJQAekuAAoJEE1wgkIhr9j3QYMH/jwZE9W62tqVFcjHuKz8qLy2
> KS86WFuV5aJt6WCgNfBP+0SMpIAVWoz+IOLHMOUdJB9eb6nKpyZv7IsykVtODcsQ
> ZN+JQyCJxzxxMoVAaybXdvozEkP+guktBJDPn81wD0W2owXoGYWGC0QpQKxbwF4a
> cvWMoqON0YG0wx54ETbsUfvtS+YBIWtaTbRR1Y/Bg2WAV5KydltHM7Gfqk/xZGV0
> blWNSREMO9U+J8IcjrIQ+Fhd1iQvG/k5O5AeTT/ldcswvFwRd9C8gUG0encChEy2
> M1ti0+94mJEsA8GQAkT8uHbyUX8DDbKNnt2johWu1QT2DEH/MxjCwzZUNfTbZaw=
> =D7VZ
> -----END PGP SIGNATURE-----
> _______________________________________________
> SlackBuilds-users mailing list
> SlackBuilds-users at slackbuilds.org
> http://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users
> Archives - http://lists.slackbuilds.org/pipermail/slackbuilds-users/
> FAQ - http://slackbuilds.org/faq/
>

More information about the SlackBuilds-users mailing list