Moving Asterisk into main
Kees Cook
kees at ubuntu.com
Tue Jan 13 19:40:57 GMT 2009
On Mon, Jan 12, 2009 at 01:22:48PM -0500, Joe Terranova wrote:
> one issue that keeps companies from using Asterisk on Ubuntu is the
> security risk: Asterisk isn't kept up-to-date with security fixes
> because it isn't in the main repository.
On the other hand, it's not entirely ignored, either. It has gotten
attention, but it does depend on interested community members to do the
patch hunting, backporting, and testing.
> Do developers see any issues with moving Asterisk to the main
> repository? The stable release, 1.4, is only updated for bug fixes and
> security issues; maintaining Asterisk seems to be rather easy -- it
> just needs to get done, regularly.
Moving it to main doesn't solve the resource problem: someone still
needs to do the updates, and resources are limited. I would recommend
creating a community of people that care about Asterisk, and getting
involved with motu-swat[1] to do the patch hunting, backporting, and
testing to go through the Security Update Procedures[2]. If the Ubuntu
asterisk package received continued support from folks, it might even
qualify for a MicroReleaseException[3]
> I am, of course, happy to help in any way I can.
Getting patches into the existing releases is the best way to solve this.
Please see[2], we'd love the help. :) I use asterisk myself and have
tended to hunt down patches for some of the more serious issues.
Thanks,
-Kees
[1] https://wiki.ubuntu.com/SecurityTeam/GettingInvolved
[2] https://wiki.ubuntu.com/SecurityUpdateProcedures
[3] https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list