And i almost panicked, until i realized that it's currently only the end of January here.

1 members found this post helpful.

Yes, 6 weeks is not all that long, but if you take a look at what's been done over the last 8 months or so since 13.37 released - it's not all that much, and that paints a slightly different picture. However, all this talk about 'current' is a bit of a red-herring and there's no direct harm from Pat taking some time-out from developing 'current'. What is starting to become an issue though is that the last stable patch was on the 27th of November and people are starting to notice. This added to the lack of progress with 'current' (which isn't a problem in and of itself) is rightly, or wrongly, giving the impression that no one is at the helm.

Now, maybe this is not an accurate reflection of what is really going on: Pat has never been all that aggressive about providing updates for security issues that he believes to be lower severity and this might very well just be business as usual, but; we're lagging behind on mozilla, proftpd has had an unpatched remote code execution vulnerability since early November, there's been openssl, php, dbus, freetype and a number of other vulnerabilities announced upstream and addressed by other distros and non have made it into Slackware stable's patches/ yet. If some people are starting to feel a little uneasy about the situation then it's not all that surprising.

This is all about perception, and what we don't want to happen is for more people to start to think like one of the commenters on that link I posted above:

2 members found this post helpful.

I trust Alien Bob. If he says that updates are in the pipe that is good enough for me. I will wait. I suggest that we all take a collective deep breath and chill out a bit.

I guess you're right. While -current is not a problem, lack of patches for the stable release might be a problem for people. Personally, I just use Slackware as a desktop computer (with a local http testing server for my own purposes) so it's not that urgent for me but I can imagine how uneasy some people who use Slackware in a more serious manner (ie. production servers, etc) may feel about it.

There will be countless new patches made in the upcoming weeks/months that everyone is susceptible to right now -- we just don't know it yet. It's likely a false sense of security if one feels "safe" from the most current patches. Sure, it's good to be protected as much as possible but it's only PUBLICLY DOCUMENTED vulnerabilities.

Keep that in mind before you lose too much sleep about security updates. Unfortunately, the security risk is always there.

Hmm, sorry but that deserves a 'wat?'. If there is a publicly disclosed vulnerability, it makes every sense for an admin to feel safer for the system that has been patched than for the system that hasn't been, DUCY?

1 members found this post helpful.

Hi

Slackware never has been nor will ever be a hold your hand distribution. As to my systems and vulnerbility I will take care of things as needed. If you feel a public disclosed vulnerability has been disclosed then why not let us know it. Thus we as users and supporters can help everyone. Here at LQ, we share & help each other all the time. How would this be any different?

Hypothesize all you want! That will not change the fact '-current' is slow for now. NO harm!

As other members have stated; Take a deep breath, relax and let us all take a step back to look with anticipation salted with patience & enjoy what we do have.

I don't know of any vulnerability I'm just saying that people should relax about being a few weeks back on security patches. Because, more then likely, there are (bad?) people who discover vulnerabilities and they may not chose to release them publicly. Just trying to point out
that even though you have all the updated "patches" that it doesn't mean you are secure. Sure, it helps... but just saying.

It is significantly easier to browse disclosed vulnerabilities and produce malware around it than to discover a 0-day exploit and produce malware before it is discovered. Security isn't a product, it's a process, and by leaving your system unpatched you are more likely to encounter malware. Malware in the wild is rare on Linux in general -- but that doesn't mean you should never update software. The vast majority of exploits in the wild are based on disclosed vulnerabilities, and those that are based on 0-day exploits often get disclosed soon enough as well. Right now none of these are being patched on Slackware.

I don't really care that -current isn't moving, but it is unsettling that stable isn't receiving security updates. Pat has always taken a pretty relaxed approach to security updates, but at least the major ones were covered. At this point in time, that can no longer be said. It's not enough of a worry to me (yet) to move on, but if the situation remains as it is 3 or 6 months from now...then using Slackware may no longer be the responsible choice. At *this* point though, I'm OK with riding it out, as long as Slackware isn't in limbo indefinitely.

4 members found this post helpful.

While skilled black-hats with an arsenal of exploits for undisclosed vulnerabilities are no doubt out there, they're not likely to take much of an interest in the likes of us. The bigger threat is from script-kiddies running automated exploits for the latest vulnerabilities which they have downloaded, couldn't have written themselves and don't understand, and that is why keeping up with the latest updates is important.

While there is always a danger of being exploited with a zero-day, I suspect the number of systems actually compromised by such is not statistically significant.

Nine months and a couple of days at this point. This can't drag on too much longer without Slackware's reputation getting seriously damaged.

Too bad they removed the "no" option to the "Was this post helpful?" question.

5 members found this post helpful.

I hope that if Pat chose to do something else (which I hope he doesn't, but will understand if he does), the rest of the Slackware team will decide to keep the ball rolling, even if with a different name. The other distros are annoying.

I was just sitting here thinking the same thing. Not sure what else I'd use that has a similar flavor & experience. Maybe BSD.

What the heck is the rush? System crashing? Slackware is not the sort of distro that needs constant updating. This frenzy for constant updates is just nuts. If a slack user gets nervous about all the "security flaws" just freaking update that package yourself. If I had my wish, PV would only release once a year with only monthly updates.

Let PV take a breather and/or hang with his family.

4 members found this post helpful.