Re: Security Support by the Security-Team

To: debian-security@lists.debian.org
Subject: Re: Security Support by the Security-Team
From: Jan Lühr <jluehr@gmx.net>
Date: Sun, 19 Jun 2005 13:58:41 +0200
Message-id: <[🔎] 200506191358.41294.jluehr@gmx.net>
In-reply-to: <[🔎] 200506180904.38544.helmut@toplitzer.net>
References: <[🔎] 200506180904.38544.helmut@toplitzer.net>

Greetings,

Am Samstag, 18. Juni 2005 09:04 schrieb Helmut Toplitzer:
> Hi!
>
> Just a few remarks:
>
> << Use unstable or testing, and apply security fixes yourself.  Over
>
> To my opinion this is a bad suggestion. Maybe my last mail was a bit
> unclear about this. As security is a process rather than a state,
> your systems will hardly ever have all the available security-patches.
> (Not to note that it's not possible to keep up with this job
> if you are alone with it, which will be the fact if you do it by
> hand for testing/unstable.)

Well, not necessary, security, as done - is a process and and a state. You do 
either configure your deamons to run less-privilged chroot'ed or you don't. 
This is no process in this.

> So the question is how to deal with this. As every distribution has
> a security-team these days 

Not every...

> (or at least should have) it is possible 
> to get the security-patches in (quite short) time. 

Well. what is a "short time" here?

> They established a 
> processes how these patches get into the distributions and do a lot
> of communication with each other that none is missed.

At least we hope.

> (And if you ever tried to, you will know that this is a quite complex
> job to do if you want to do it well.)

Of course, at least consider the amount of packages.

> As result a lot of people rely on the work of these teams.
> Especially Debian has a very "open" way to do this. 

This is wrong, (more or less). Debian has access to non-disclosed information.
If you interpret the d-s-c in a strict way, it is not allowed, too - but AFAIK 
this has never been a big issue (?) (However this is quite difficult to 
discuss, 'cause full- vs. non disclosure is not settled at all)

> Security 
> problems a handled publicly if there's no request to do it not
> this way.

No.

> So if you protect your systems (more than 2) by these updates, you would
> be well advised to establish a process yourself how you get them onto
> your system and how - in general - you keep them more or less secure.

No. The truth is (at the moment and in the near past), that you have to 
backport the patches by yourself - But  Debian offers a framework for 
porting.

> And the information if Debian-Security is
> working as expected is a very valuable one to people who did this.

How do you define "expected" ? Debian security is not a just-in-time-patch 
delivery service working 24/7. 
Imho Debian security is a instance allowing patches to get into stable. So if 
you set up stable years after it's release, it is realistic to assume, that 
no vuln older than a couple of months/ weeks is included (if a patch is 
available). (Well, they were some, even in essential packages, but you'll 
know them if you follow this list)

> Hopefully my considerations are clear now. (This mail became much
> longer than I wanted.)

Your consideration are quite clear, but imho you expect to much.
I decided to stop moaning and  criticizing  because

- I cannot do better
- I don't pay them - they are volunteers
- I don't have to use their services
- I said a lot, I triggered some processes I don't like to have happened
- I bashed on the wrong guys.
  
Keep smiling
yanosz

Reply to:

References:
- Re: Security Support by the Security-Team
  - From: Helmut Toplitzer <helmut@toplitzer.net>

Prev by Date: Re: debian security archive/updates b0rken???
Next by Date: Re: safety of encrypted filesystems
Previous by thread: Re: Security Support by the Security-Team
Next by thread: Re: Security Support by the Security-Team
Index(es):
- Date
- Thread