[CentOS] bounties for exploits against CentOS?

Johnny Hughes johnny at centos.org
Tue Jan 17 18:34:24 UTC 2012


On 01/17/2012 12:13 PM, Bennett Haselton wrote:
> On 1/17/2012 9:25 AM, Les Mikesell wrote:
>> On Tue, Jan 17, 2012 at 11:12 AM, Bennett Haselton
>> <bennett at peacefire.org>  wrote:
>>> Pretty much all software testing is predicated on this notion -- that as
>>> you find and fix more bugs (of any kind, not just security bugs),
>>> eventually the mean time to find the next bug should get larger.
>>> Otherwise, what's the point, if at the end of all your testing and
>>> fixing, users keep running into bugs at the same frequency as before?
>> Look though the changelogs of any major application or the kernel
>> itself.  See if it looks like the world is running out of bugs.
>>
> Well if the software itself is constantly being modified in other ways 
> (addition of new features) then of course you'll never run out of new 
> bugs either :) But even for software where the features are frozen, bugs 
> in a given category should eventually get harder to find, and/or should 
> be less severe than at the beginning of the cycle (which seemed to be 
> the case whenever I worked in testing).
>
> If this were not the case, then what would even be the point of doing 
> any testing and bug-fixing at all?  Unless you expect that eventually 
> the remaining bugs become rarer or less severe.
Regardless, CentOS would not be publishing said Bug Fixes except for
items in our extras or plus repositories.

CentOS builds the upstream sources directly whenever possible.  We only
make modifications when required to do so for Branding reasons ... or if
something needs to be added to get the build correct, etc.

Therefore, any "bugfix" changes would need to be made by Red Hat to the
RHEL source code, which would then trickle down into CentOS, since we
build the upstream EL sources.

If one wanted to offer bounties to find and fix issues, and then submit
that info to the upstream RH bugzilla, I am sure they would appreciate it. 

CentOS does make upstream Red Hat bugzilla entries all the time when we
get issues reported to us that are valid and in the upstream code.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20120117/89b1c974/attachment.sig>


More information about the CentOS mailing list