Re: netscape security hole
Marko Cehaja wrote:
> Dear
>
> sorry, I wanted to post it to the list. So previous email went to you
> privately.
>
> On Thu, Aug 10, 2000 at 01:56:18PM -0400, Mike Werner wrote:
> > >
> > > You are wrong. apt-get is: package handling utility. It is not Debian-Linux
> > > installer. You can *add* any deb packages to your Debian GNU/Linux by
> > > using apt and its configuration files.
> > >
> > > It is still far away of that package existing in Debian Distribution.
> >
> > By your reasoning damn near *nothing* exists as part of Debian, then. How
> > much of the software available via apt-get is actually written by the Debian
> > team? Maybe 5%? The rest is software that has been *packaged* in deb
> > format, but written by someone else. So now I'm curious as to just what it
> > takes to be considered to exist as part of Debian?
>
> Please read the Debian Social Contract policy:
> http://www.debian.org/social_contract
>
> If you want to see which packages do exist in Debian, refer to:
> http://www.debian.org/distrib/packages
>
> Anything what is not there, isn't part of Debian.
I went and looked at that page, and lo and behold there's a whole slew of
Netscape packages. Just like the ones I've used to install Netscape onto my
systems. Oh, wait a minute. Those *are* the packages I used.
> > > And regarding that security bug - well, ipchains and other tools do exist
> > > on Debian.
> >
> > But how can they exist in Debian? They weren't written by the Debian team.
> > They were just packaged by the Debian team, just like Netscape was. And if
> > Netscape doesn't exist in Debian, then ipchains can't exist either.
>
> Debian is kind of free-OS, with strong points on security as well.
> If Netscape *would* exist in Debian, you would almost immediately find the
> security alert on Debian site, first page.
I've received a number of recent security announcements via email
(debian-security-announce email list) that have not appeared on that page.
Seems that Security blurb there isn't very up to date.
> > > Therefore is that bug purely in Netscape.
> >
> > This is pure pedantic twaddle. If a bug in a package that is made available
> > for installation by a distribution creates a security hole, then the
> > distribution has a security hole. If we go by your reasoning that security
> > holes in packages are purely a problem with that package and not with the
> > distribution, then a distribution can *never* be said to have a security
> > hole.
>
> I am not sure if you follow. Netscape isn't part of Debian. You have to
> get Netscape from third party company.
No, you don't. Netscape has been packaged for Debian, in debs, available
straight from the Debian ftp server. That pretty much meets the test for
existance in my book.
> It is up on you as system administrator to know what kind of software you
> install on computer anyway.
Exactly. dpkg -l comes in handy for keeping track of such things, and ...
HAL9000:~$ dpkg -l
.
.
ii navigator-base-4 4.73-19 Navigator base support for version 4.73
ii navigator-smotif 4.73-19 Netscape Navigator 4.73 (static Motif)
.
.
ii netscape-base-4 4.73-32 Popular World-Wide-Web browser software (base su
ii netscape-base-47 4.73-19 4.73 base support for netscape
ii netscape-java-47 4.73-19 Netscape Java support for version 4.73
hey, wait a minute! How'd Netscape get into that list?!? It can't do that!
It's not part of Debian!
HAL9000:~$ ls -l /var/cache/apt/archives/
.
.
-rw------- 1 root root 7078 Jun 22 13:25 navigator-base-473_4.73-19_i386.deb
-rw------- 1 root root 3227630 Jun 22 13:25 navigator-smotif-473_4.73-19_i386.deb
-rw------- 1 root root 13368 Jun 22 13:25 netscape-base-473_4.73-19_i386.deb
-rw------- 1 root root 28736 Jun 22 22:40 netscape-base-4_1%3a4.73-32_i386.deb
-rw------- 1 root root 5754170 Jun 22 13:25 netscape-java-473_4.73-19_all.deb
That's odd. I wonder where those Netscape debs came from? Oh yeah! I got
'em from the Debian site via apt. But ... I couldn't have. Netscape's not
part of Debian. Curiouser and curiouser.
> Debian isn't vulnerable to that bug in Java.
Well, of course not. After all, since Netscape isn't part of Debian (even
though it's listed on the Packages site you mentioned, and the debs are
there on the ftp site, and ... oh to heck with it) then obviously Debian
couldn't be vulnerable.
--
Mike Werner KA8YSD | He that is slow to believe anything and
| everything is of great understanding,
'91 GS500E | for belief in one false principle is the
Morgantown WV | beginning of all unwisdom.
Reply to: