Re: dead hoarse, crawling away.
Colin Watson wrote:
>
> Helgi =?iso-8859-1?Q?=D6rn?= <hood@extra.netlink.se> wrote:
> >guran remberg wrote:
> >> I have just read an article by a chap named Kurt Seifrieds, which was
> >> mainly about security on Debian. I was alarmed and have decided to
> >> switch to Red Hat as many experts advises can be used to secure it.
> >
> >Why not give us a link to this 'article'?
>
> It was well-publicized around the time potato was released; you should
> be able to find it if you have a look back in the archives. A look
> through the archives will also reveal the large number of factual
> inaccuracies, misunderstandings, and just plain bias that that same
> article contained.
>
> I believe some of the worse inaccuracies - like the author not having
> bothered to read changelogs to find out whether the security holes he
> believed were present had actually been closed - have been fixed in more
> recent revisions of the article.
>
Yes, as I recall, his essential misunderstanding was that he didn't know
that security fixes were "backported"; i.e., incorporated in the Debian
source without upgrading to a later version of the program in question.
I.e., he'd notice that Debian had not upgraded to version 1.2 of
foobard, which closed a security hole, when in reality the Debian
maintainer had patched foobard 1.1 to close the hole, and that was
reflected in the changelogs, which he hadn't realized he needed to look
at.
An understandable *initial* impression, but he shouldn't have released
the article without asking some Debian-knowledgeable person about the
issue.
This whole issue accounts for this from "remberg":
"...your proprietary way of ... down-patching
found bugs instead of upgrading"
Which made more sense than anything else he wrote.
Personally, I'd rather have the security patch backported than have to
deal with a whole new version of something that hadn't been
integration-tested. And I think I'm not alone...
Reply to: