Re: Debian for enterprise
On Sunday 16 November 2003 00:24, Jesse Meyer wrote:
> Debian-stable (the branch you want to be using for servers) tends to
> be several months to a year behind the bleeding edge. This bothers
> some people. For a server, I'd rather go with a tested solution then
> the bleeding edge, but others differ.
It's obviously a Good Thing[tm] to be as stable as possible on a server.
However, what I don't get, is when you have packages like Snort, so
outdated that you should not use them, see DSA-297, why are they still
kept back. That's a real problem, IMHO.
I really can't see that there is any advantage to not upgrade these
packages in the distro itself, for example at point releases.
Obviously, you could argue that updating a package would break some
admin's system, but really, an admin who does use stable's package
needs a wake-up-call anyway.
The same thing goes for e.g. Spamassassin, chkrookit, nessus, and I
guess a few more.
The funny thing is that many of these are security related; I mean, what
a perfect way to trojan a bunch of newbie's machines: The newbie hears
on debian-user that he must update some of these packages: So, there is
a malicious cracker who put a site up with "official updates", which
the newbie finds on Google (or apt-get.org, perhaps), ads it to his
sources.list. Instantly, he gets a version of Snort that ignores
attacks and chkrootkit with a rootkit... Also, since the newbie
probably hasn't met anyone for a keysigning party, signatures won't
mean anything to him. Elegant, huh?
So, what level of experience would be required to discover such an
attack? I'm not sure I would discover it myself, but then, I _am_
pretty much a newbie myself. :-)
firstname.lastname@example.org email@example.com firstname.lastname@example.org
Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC