Re: Que les parece esto...
On mié, jul 26, 2000 at 05:41:37 -0500, Ricardo Adolfo Rodríguez wrote:
> lei esto en vivalinux.com.ar
> La verdad no estoy de acuerdo, pero como no soy un Duro Debianero..:(..
> pues no hablo muy fuerte... que opinan ustedes?
> Comparando Seguridad en Linux
> Enviado por vivab0rg el 26-07-2000 @ 01:04 AM (leído: 0 veces - hits: 0)
> Para los más paranoicos de nuestros amigos y/o
> sysadmin's, este artículo en SecurityPortal les va a
Os reenvío la respuesta de Joey Hess desarrolador Debian a los de
SecurityPortal. La podeis ver en el fichero adjunto.
Javier Viñuales Gutiérrez <email@example.com>
Webs: http://www.ctv.es/USERS/vigu Personal
PGP public key: http://www.ctv.es/USERS/vigu/vigu.pubkey
In <http://www.securityportal.com/cover/coverstory20000724.html>, you
> I have not fully covered Slackware and Debian, with their ridiculously
> slow release schedules.
I'm very disappointed on two levels: First that you provide such a
comprehensive and useful report and yes omit one of the more popular linux
distributions, and second that you have made such an erroneous assumption
about Debian's release methodology.
Your main mistake is that you have failed to realize that Debian
releases timely security fixes, which are distributed to Debian users
via the internet. Users can choose to configure their systems to receive
these updates. This makes release intervals orthogonal to whether users
receive security fixes.
Moreover, Debian has _frequent_ minor releases. These releases consist
mostly of security fixes, and they serve to get the security fixes out
to fresh Debian installs, plus to anyone who installs from CD and does
not set up their system to receive security fixes via the net. You may
have missed these releases, since in Debian, "2.1" is a new major
release (with an implied "r1"), while "2.1r2" is the first minor release
-- an unusual nomenclature compared to the other distributions.
Interestingly, minor releases of Debian 2.1 have occurred more frequently
than minor releases of Red Hat 6 (which, as you note, "shoves a new version
out the door every 6 months like clockwork").
Debian Red Hat
104 days 161 days
117 days 175 days
[ Interestingly, a poster on slashdot has numbers that show that
the other distribution you left out (Slackware) also releases just as
frequently as Red Hat. ]
In light of these problems, I think it would be quite beneficial if you
added Debian to your paper. Security announcement since 1998 are
archived in both the archives of the debian-security-announce mailing
list, and on http://security.debian.org/ (which also includes
advisories from 1997). So, I dug up some numbers (I read the changelog
pointed to by footnote 2, and counted security fixes. This is probably
not as accurate as your numbers.)
Release Security Alerts
Moving on to the second part of your paper, specific incidents and how
quickly distributions responded, I've looked up some data on Debian's
Local root exploit in kernel <2.2.15, announced on June 8th.
On June 12th, Debian announced it had fixed the hole *before*
the exploit was announced, and thus was not vulnerable.
fdmount, announced May 22.
Debian has never installed it suid, and thus has never been
vulnerable (as you noted -- thanks).
By the way, I think this section of your paper looked at too few holes to
draw any real conclusions from. But Debian seems to have been near the
head of the pack in this limited sampling.
In closing, I'd like to point out that the current 1 and a half 5 year --
not 2 year as you continually state -- gap between Debian 2.1 and 2.2 is
so far an exception, and not -- as you continually imply -- a rule. Major
see shy jo, fond of lies, damn lies, and statistics
 (For instructions to configure a Debian system to receive such fixes,
see for example, http://security.debian.org/, in the 5th paragraph.)
 This information from ftp://ftp.debian.org/debian/dists/stable/Debian2.1r5
 I'm not going to argue this in detail, but just see how people reacted to
your ommissions on slashdot. Debian has a rather large mindshare, though
its market share is less quantifiable.
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com