X-Original-To: alpine-user@mail.alpinelinux.org Delivered-To: alpine-user@mail.alpinelinux.org Received: from mail.alpinelinux.org (dallas-a1.alpinelinux.org [127.0.0.1]) by mail.alpinelinux.org (Postfix) with ESMTP id EDC13DCE4C3 for ; Mon, 4 Apr 2016 18:07:58 +0000 (UTC) Received: from mail-ob0-f171.google.com (mail-ob0-f171.google.com [209.85.214.171]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id BBD7EDC1529 for ; Mon, 4 Apr 2016 18:07:58 +0000 (UTC) Received: by mail-ob0-f171.google.com with SMTP id x3so177408737obt.0 for ; Mon, 04 Apr 2016 11:07:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=restorando-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=Fig02WJcRXI/r0n9dk3VVg9ig9vrx0ii4lRrbLAWCG0=; b=BjlX0qMfp+skrTssz7KAd6SMJqECD1tc8IFADfptwhmd9xuaG9ApRi0w1Rf5VXQM4L GTOjeXtP5aoGcU78KRZnCNqbatYnTxNf08VdQWXEc6vmnY8T+lZ+khgCfU23iaAbNpYw adRmABrVsbe1MLnexB2jpjjmy2hcAHEM5/z0U1ln/WZCDBw5k+4WLMFz3rYBVIon1HLf 48xavikh+D1wHRzjrpTS3clsRIGGgxo+pm45FuC+iReP0RUM625M8YwvCgVHtfrIJAPN Lfjhlq+jywtRfc3aUW/ZBRYkI3MWhPG9A+nBuvLK9Z9cGmI/duO4xE3T5BaFcRu25TiG GKsg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=Fig02WJcRXI/r0n9dk3VVg9ig9vrx0ii4lRrbLAWCG0=; b=bhEaro1fDnN2+xB2YpkTz7HU1oGXOMbEkBhFmCIx8cU60hxAQojEnHgOniymwrkwXF Vrig9zcr8H8Fh2HvH6eS3pqie4U3hntMDuQORsW9hycywrViABEaVFlm6to9T2324GI2 1nMD3jQoqUojOqKsCmm/2CcbAPBIC+as1RKIPs3rtAcoQgHlxM8Oavp/czsLCG3S3OaR QMK7Tr1YHK4Pj1G5VPBH233vKr5dGL/FOkhQH7Ccmgy8zmiuV92Nx/N2w8GfR4LOEA2A gRpggS0b59Fla/S7msFLx9cGyJcoTr51IlAS9Zhf5g6kXJ4GBMmvb/3O1576jQoBaaPV k83Q== X-Gm-Message-State: AD7BkJKsluMoQGQdCa7kkuXtH9hvc4aKFUq+e6YMNXEtPaRmjDBPF87xVhuMb223MZ9hLx+bNApb0/MdZ45caAlK X-Mailinglist: alpine-user Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 X-Received: by 10.60.142.103 with SMTP id rv7mr6014914oeb.43.1459793278004; Mon, 04 Apr 2016 11:07:58 -0700 (PDT) Received: by 10.202.3.6 with HTTP; Mon, 4 Apr 2016 11:07:57 -0700 (PDT) In-Reply-To: <20160404194144.27975e09@ncopa-desktop.alpinelinux.org> References: <20160404194144.27975e09@ncopa-desktop.alpinelinux.org> Date: Mon, 4 Apr 2016 15:07:57 -0300 Message-ID: Subject: Re: [alpine-user] How are security updates handled From: Rodrigo Campos To: Natanael Copa Cc: alpine-user@lists.alpinelinux.org Content-Type: text/plain; charset=UTF-8 X-Virus-Scanned: ClamAV using ClamSMTP On Mon, Apr 4, 2016 at 2:41 PM, Natanael Copa wrote: > Hi, > > This fell between the cracks. sorry. > > On Wed, 23 Mar 2016 14:55:29 -0300 > Rodrigo Campos wrote: > >> Hi, >> >> I'm interested in using alpine linux for docker containers, but I'm >> not sure how security updates to packages are managed. I read the site >> and wiki and didn't find it (but I might have missed something). > > We monitor mailing lists, etc and report unfixed issues in a private > tracker. Once an issue if fixed we make it public. It is reported to the package maintainer in alpine? Sorry, I'm not sure I follow > >> I see usually alpine linux releases are supported for more or less two >> years, although v3.3 seems to be 1.5 years[1]. Is it expected that >> new releases are supported for 1.5 years? Or is there any written >> policy that I can check and didn't find? > > We do releases every May and November and support that for 2 years. > That is the idea at least. > >> Also, how are security updates handled to any X package in an some >> supported alpine linux release? If some package is not supported >> upstream anymore, it's up to the alpine linux maintainer of the >> package to back port the fix to the supported alpine linux release? > > In theory we do backports if upstream drops support. This works mostly > but in some cases it has not been possible. For example qemu and golang > does not support older versions and we have not been able to provide > security fixes for some issues. This was the triggering factor of the > "community" repo, where we only support edge and current stable > release. In other words for 6 months after branching. After that it is > "best-effort". After 6 months it is best effort on the community repo, right? And during those 6 months, is up to the package maintainer to do the security fix? And if the package maintainer is unresponsive? And the "main" repo is supported for 2 years? Although I'm not sure if it is like this, because qemu seems to be in the "main" repository (https://pkgs.alpinelinux.org/packages?name=qemu%25&repo=all&arch=x86_64&maintainer=all ) > >> Is there an alpine linux security team? > > We don't have any (official) security team, but the job gets mostly > done. Critical issues are normally fixed relatively early. > >> Or how is this handled? And again, is there any written policy about >> this? :) > > No written policy, more than the mentioned releases wiki page. We have > need for help with improving the documentation. > > Sorry. Thanks a lot! :-) --- Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org Help: alpine-user+help@lists.alpinelinux.org ---