Re: secure installation

[Johannes Wiedersich <johannes@physik.blm.tu-muenchen.de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Javier Fernández-Sanguino Peña wrote:
> On Tue, Aug 21, 2007 at 09:00:47AM +0200, Johannes Wiedersich wrote:
>> Not exactly true. Debian adds security repositories to apt's sources,
>> that's true. But it does _not_ automatically install them on your
>> system. It was my point that debian does not by default provide an
>> automated system to _install_ security updates.
> 
> Yes, a Debian default install *does* install security updates.

Only at the installation. It does *not* automatically install security
updates on a regular basis, and that was my point. Read my mail again.

>> So even automatic _reminders_ to install security updates are only
>> enabled, if the user either installs gnome (I use kde) or specifically
>> knows of and installs the appropriate tool. I have not tried
>> exhaustively, but update-manager does not appear to work 'automatically'
>> with kde, at least not for myself. It only works, if I start it manually
>> and that's even less convenient than a simple 'aptitude update; aptitude
>> upgrade'.
> 
> GNOME is the *standard* desktop environment in Debian. A default Debian
> installations installs both KDE and GNOME but gdm is the default window
> manager and when users login they get into a GNOME Desktop by default. So
> your "if the user either installs gnome..." conditional is moot.

User's choices are different. There is an official installation CD that
installs kde without gnome. A *standard* installation installs neither
gnome nor kde, though the desktop task may install both (haven't checked
in a while).

>> Note that I am not saying that I miss this 'automatic security'.
>> Conversely, my point was that the user should be educated to know and
>> care about security and should not be educated to trust any 'automatic
>> security'.
> 
> Educating users also involves raising awareness that they *have* to keep
> their system up-to-date with security patches both to prevent local and
> remote exploits. The fact that KDE (or Xfce) does not have an equivalent to
> the update-manager is IMHO, worrisome, as users of that Desktop environment
> might not be as aware of this need as users of GNOME.

I agree with the first half of that statement, but I fail to grasp why
kde users (including, say Linus T.) should be less aware of security
than gnome users. Are you just trying to start a flame?

Maybe the lack of an update-manager for kde just reflects the fact that
kde users are more security aware and don't need as much automatic
nagging. (I am not claiming that this is the case, I am just claiming
that it is just as legitimate to claim the opposite of what you have
been claiming. )

> Update-manager makes a good job at highlighting security updates and
> explaining why are they needed. Even if it does not force users to install
> them.

Agreed.

Johannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGywEnC1NzPRl9qEURAsQyAJ40DUCVW6tz1d4ujb0kh5S/hRqo8gCfRBQB
MFclivScgKI6fKG+bFb7Aq8=
=oXmV
-----END PGP SIGNATURE-----