Re: Why back-porting patches to stable instead of releasing a new package.
On Sat, Aug 16, 2003 at 10:44:17AM -0400, Matt Zimmerman wrote:
> On Sat, Aug 16, 2003 at 12:45:14AM -0400, Andrew Pimlott wrote:
> > Have you perhaps seen
> > http://lwn.net/Articles/44117/
> "Subscription required"
Sorry, I posted some alternate links in another message.
> > Debian's policy assures that all well-publicized
> > bugs get patched, but that doesn't mean that others don't slip through the
> > cracks.
> As compared to what policy, exactly? There exists no policy which can
> defend against unknown bugs. Period.
The policy of fixing bugs regardless of whether they are known to be
security holes. I know many people will dismiss this possibility
out of hand, and it would be a challenge (mostly in enforcing a
bug-fix-only restriction), but I think the result would be
significantly more secure and only slightly less stable.
> > A capable cracker targeting a Debian stable system has a simple algorithm:
> > browse upstream changelogs for closed holes that weren't publicized.
> Show me a distribution where that _doesn't_ apply. This is the reality of
> security. If you can't afford to audit everything, you rely on others to
> own up to their bugs.
Yes, but I'm saying we shouldn't rely on upstream, or even the
Debian maintainer, to distinguish security-related bugs. Then, at
least the cracker would have to find his own holes.
> >  Actually, I know of one about which I am communicating with the
> > maintainer.
> ...but not the security team, apparently.
I thought it would be better to let the maintainer handle this, but
if I don't hear from him soon, I will inform the security team
myself. As the bug has existed since woody was released, I don't
think it is urgent.