[pulseaudio-discuss] Example using async API

Lennart Poettering lennart at poettering.net
Mon Oct 12 12:00:05 PDT 2009


On Fri, 09.10.09 23:14, Nix (nix at esperi.org.uk) wrote:

> On 7 Oct 2009, Lennart Poettering said:
> > Security updates is the job of distributions. If we encounter a
> > security issue I contact the packagers I know and tell them which
> > patch to backport.
> 
> The problem here is that you cannot know everyone on earth who pulls
> down PA and builds it, nor can you know why people might need to do so
> (so 'use your distributor's copy' won't always fly: some distributions
> have terribly old PAs, and the user may need features from a newer
> one). Any system requiring you to notify individuals simply doesn't
> scale (although it probably *is* a good idea to notify major distros
> explicitly in any case).

I am sorry. I believe in distros. If some people don't then it's their
own fault, but I will not and cannot care about that.

This is free software, it's fine if you want to shoot yourself in the
foot. But don't expect to be particularly welcome if you do that.

> So... it might be a good idea simply to have a pulseaudio-security
> mailing list or even blog or something to which you post the git commit
> IDs of known security fixes (or whatever it is you tell the
> distributors: I presume it's something like that). ##

Sure. I can do  a lot of things. But how about *you* do these things?
I announce those things on IRC, so you are welcome to hang around
there and forward it to some blog.

The current system works quite well I'd say -- for the distros. You
think there's more than distros that matters. I don't. So why should I
do the additional work and you don't?

Also, Colin maintains a -stable branch, which also includes the
security fixes -- not sure what more you need?

> One extra Cc: on emails you already send and everyone is happy.

Uh? It's all on the ML or on IRC. There's nothing private here.

> (the kernel already does something like this with the -stable tree.
> udev doesn't do anything like this and I bloody wish it did: it tends to
> intermingle major rules-breaking config changes and critical security
> fixes in releases, and keeps security fixes quiet. That's *exactly* the
> wrong thing to do... but you know that.)

Dude, nothing hinders you to maintain your own udev-stable
tree. 

Lennart

-- 
Lennart Poettering                        Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/           GnuPG 0x1A015CC4



More information about the pulseaudio-discuss mailing list