You probably don't think too much about how security patching works in a completely open source project like CURL for example but it's really important to co...
Think the biggest issue is not the development of the patch but the role out. Unfortunately many admins that run on open source are a single admin single server and lag on updating their own machine.
They will also after time not pay attention to patch notifications and this leaves many unpatch vulnerable servers out on the internet.
Example would be someone hears about nextcloud and thinks it be cool to run their own. After a few months they quit paying attention to the server even if they use it daily.
I'm with the curl team and similar approaches (some/most Apache projects). Get the fix with a generic description in main branches with CI going.
My employer was faced with a medium curl issue that most scanning software thought was critical, and explaining to customers that the LTS distro we used hadn't picked up the fix yet. Maddening situations.
James P.
in reply to Brodie Robertson • • •Michael Brazda
in reply to Brodie Robertson • • •Think the biggest issue is not the development of the patch but the role out. Unfortunately many admins that run on open source are a single admin single server and lag on updating their own machine.
They will also after time not pay attention to patch notifications and this leaves many unpatch vulnerable servers out on the internet.
Example would be someone hears about nextcloud and thinks it be cool to run their own. After a few months they quit paying attention to the server even if they use it daily.
A.B.
in reply to Brodie Robertson • • •I'm with the curl team and similar approaches (some/most Apache projects). Get the fix with a generic description in main branches with CI going.
My employer was faced with a medium curl issue that most scanning software thought was critical, and explaining to customers that the LTS distro we used hadn't picked up the fix yet. Maddening situations.