[pulseaudio-discuss] Example using async API

Nix nix at esperi.org.uk
Fri Oct 9 15:14:12 PDT 2009

On 7 Oct 2009, Lennart Poettering said:
> Security updates is the job of distributions. If we encounter a
> security issue I contact the packagers I know and tell them which
> patch to backport.

The problem here is that you cannot know everyone on earth who pulls
down PA and builds it, nor can you know why people might need to do so
(so 'use your distributor's copy' won't always fly: some distributions
have terribly old PAs, and the user may need features from a newer
one). Any system requiring you to notify individuals simply doesn't
scale (although it probably *is* a good idea to notify major distros
explicitly in any case).

So... it might be a good idea simply to have a pulseaudio-security
mailing list or even blog or something to which you post the git commit
IDs of known security fixes (or whatever it is you tell the
distributors: I presume it's something like that). No need to do
anything extra: this just puts the stuff you're already telling your
known packagers out in the open where anyone can see it rather than
requiring them to be on RH's security team :) we can assume that
backporting security fixes (which is rarely much more than a cherry-pick
anyway) is well within the competence of anyone running PA from
upstream: what this is doing is saving them from having to read the
entire git commit log just to determine stuff you're already telling
some people...

One extra Cc: on emails you already send and everyone is happy.

(the kernel already does something like this with the -stable tree.
udev doesn't do anything like this and I bloody wish it did: it tends to
intermingle major rules-breaking config changes and critical security
fixes in releases, and keeps security fixes quiet. That's *exactly* the
wrong thing to do... but you know that.)

(FWIW, running source-from-upstream of things like PA really *is* common
in some environments. I know one fairly large academic institution which
is running lots of copies of Debian stable with backported PulseAudio
and a newer kernel, because they needed the glitch-free code to get
tolerable networked sound on their rather slow workstations. And I only
learnt this by chance: there are probably a lot of other people doing
something similar.)

More information about the pulseaudio-discuss mailing list