[tcpdump-workers] Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?

Denis Ovsienko denis at ovsienko.info
Mon Nov 24 16:24:55 EST 2014

>I don't really want to put *all* my eggs on github. 

I agree that GitHub is a business and businesses are not always in a good shape and are not forever in the best case. Specifically, many projects have had a lesson from SourceForge "developments" in the recent few years.

Besides that, where a project is hosted does not matter as much as if it has working backups (in this scope git provides a very convenient means to backup its own repositories). Hosting hardware and software just fail from time to time, whether the infrastructure is your own or sponsored by somebody else.

So the problem is to let GitHub do its good things to tcpdump yet to protect from the bad ones. To me it seems that for the next few years the best balance between survivability and convenience would be in continuing to use both GitHub and bpf.tcpdump.org, but with one important change. The changes should normally be committed to GitHub instance only, as that's currently the environment that is most convenient for contributors of varying levels of experience. Then bpf.tcpdump.org would not experience auto-merging difficulties any more and with the two repositories being 100% identical the read-only choice between the two will become again purely theoretical and a matter of taste. A weekly backup of bpf.tcpdump.org on top of that will bring a complete peace of mind.

Does that sound reasonable?

    Denis Ovsienko

More information about the tcpdump-workers mailing list