Re: Disappointment in security handling in Debian
Lucien,
I've proposed a secure by default configuration for new Debian
installations on this list before. It drew harsh criticism from at least
one person whose belief it was that those who lack the knowledge to secure
their systems deserve to be rooted. Because of this attitude, and the
fact that maintainers of several packages of questionable security (eg
NFS) refuse to move their packages out of `standard' and into `optional'
or `extra', I have my doubts that Debian will be secure by default anytime
soon. If secure by default is what you want, you'll probably be better off
with OpenBSD, where secure by default is their policy.
Regards,
Alex.
---
PGP/GPG Fingerprint:
EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM>CC/IT d- s:+ a16 C++(++++)>$ UL++++>$ P--- L++>++$ E+ W+(-) N+ o? K? w---()
!O !M !V PS+(++)>+ PE-(--) Y+>+ PGP t+>++ !5 X-- R>++ tv(+) b+(++) DI(+) D++
G>+++ e--> h! !r y>+++
------END GEEK CODE BLOCK------
On Thu, 1 Feb 2001, A. L. Meyers wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> On Thursday 01 February 2001 07:01, Daniel Jacobowitz wrote:
> > On Wed, Jan 31, 2001 at 08:56:24AM +1100, Craig Small wrote:
> > > G'day,
> > > I'm writing this to express my frustration at the slowness Debian
> > > seems to be afflicted with when it comes to letting people know about
> > > our security vulnerabilities and fixes.
> > >
> > > We seem to be able to find, fix and upload fixed packages quite
> > > quickly, however we are usually the last to let others know that they
> > > should upgrade to the new packages, making our users unnecessarily
> > > vulnerable.
> >
> > I beg your pardon? This isn't the general case at all. Your example
> > is certainly accurate, but to my knowledge lprng is the only thing to
> > slip through the cracks that way in a year. We're often behind with
> > fixes in general, but when we post a fix the advisory generally goes
> > out the same day!
> >
> > Dan
> >
> > /--------------------------------\ /--------------------------------\
> >
> > | Daniel Jacobowitz |__| SCS Class of 2002 |
> > | Debian GNU/Linux Developer __ Carnegie Mellon University |
> > | dan@debian.org | | dmj+@andrew.cmu.edu |
> >
> > \--------------------------------/ \--------------------------------/
> Dear GNU/Debianites,
>
> "errare humanum est"
>
> Even the best are not perfect.
>
> But security tracking is one of the areas where open source shines the most.
>
> Proprietary closed source systems can't even come remotely close to the
> security auditing and security improvement controls implemented by open
> source = open scrutiny.
>
> With the security vulnerabilites of the internet, my hope is that there will
> soon be a paradigm shift to: "secure by default".
>
> Greetings,
>
> Lucien
> --
> This message may contain confidential data intended only for the rightful
> addressee. Should you receive it by error, please delete it at once and
> inform the sender. We encourage the use of encrypted e-mail.
> Please visit our web site: http://www.consult-meyers.com
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
Reply to: