Re: Security Support by the Security-Team
Am Samstag, 18. Juni 2005 09:04 schrieb Helmut Toplitzer:
> Just a few remarks:
> << Use unstable or testing, and apply security fixes yourself. Over
> To my opinion this is a bad suggestion. Maybe my last mail was a bit
> unclear about this. As security is a process rather than a state,
> your systems will hardly ever have all the available security-patches.
> (Not to note that it's not possible to keep up with this job
> if you are alone with it, which will be the fact if you do it by
> hand for testing/unstable.)
Well, not necessary, security, as done - is a process and and a state. You do
either configure your deamons to run less-privilged chroot'ed or you don't.
This is no process in this.
> So the question is how to deal with this. As every distribution has
> a security-team these days
> (or at least should have) it is possible
> to get the security-patches in (quite short) time.
Well. what is a "short time" here?
> They established a
> processes how these patches get into the distributions and do a lot
> of communication with each other that none is missed.
At least we hope.
> (And if you ever tried to, you will know that this is a quite complex
> job to do if you want to do it well.)
Of course, at least consider the amount of packages.
> As result a lot of people rely on the work of these teams.
> Especially Debian has a very "open" way to do this.
This is wrong, (more or less). Debian has access to non-disclosed information.
If you interpret the d-s-c in a strict way, it is not allowed, too - but AFAIK
this has never been a big issue (?) (However this is quite difficult to
discuss, 'cause full- vs. non disclosure is not settled at all)
> problems a handled publicly if there's no request to do it not
> this way.
> So if you protect your systems (more than 2) by these updates, you would
> be well advised to establish a process yourself how you get them onto
> your system and how - in general - you keep them more or less secure.
No. The truth is (at the moment and in the near past), that you have to
backport the patches by yourself - But Debian offers a framework for
> And the information if Debian-Security is
> working as expected is a very valuable one to people who did this.
How do you define "expected" ? Debian security is not a just-in-time-patch
delivery service working 24/7.
Imho Debian security is a instance allowing patches to get into stable. So if
you set up stable years after it's release, it is realistic to assume, that
no vuln older than a couple of months/ weeks is included (if a patch is
available). (Well, they were some, even in essential packages, but you'll
know them if you follow this list)
> Hopefully my considerations are clear now. (This mail became much
> longer than I wanted.)
Your consideration are quite clear, but imho you expect to much.
I decided to stop moaning and criticizing because
- I cannot do better
- I don't pay them - they are volunteers
- I don't have to use their services
- I said a lot, I triggered some processes I don't like to have happened
- I bashed on the wrong guys.