Re: Bug#437018: Network shouldn't be used/enforced on non-network installs

[Wouter Verhelst <wouter@debian.org>]

On Fri, Aug 10, 2007 at 07:20:20PM +0200, Stefano Canepa wrote:
> IMVHO security upgrades are a _must_, if the user is free to bypass this
> step I'm quite sure she/he will forgot to check for security update
> leave her/his system unsecure. 

I disagree. Security is always a tradeoff; it's not hard to imagine a
case where the right answer to "should I install security updates as
they come out" is "no".

Just a few exmples:

- A user on a low-speed Internet connection who only uses the Internet
  to read mail (once a week), and to do wikipedia lookups (for school,
  or some such). Staying up-to-date on security updates on a daily basis
  would require transferring way more data for the security updates than
  such a user consumes for 'regular' network access anyway. Yes,
  low-speed Internet still exists today -- many broadband ISPs provide
  very cheap 64kbit/s connections (with a cap on bandwidth usage, or
  paid per minute) over ADSL or cable in their low-end product range.
  For users in this case, buying a CD set rather than trying to install
  over the Internet is the best choice.
- In one case, I set up a server for a customer where the only accounts
  were system administrator accounts (who all have root anyway), the
  only network-accessible open ports apart from SSH would be managed by
  a proprietary Java application, and the only data that would get on
  the system would be stuff produced by this Java application. The whole
  system was accessible only from the corporate network. While security
  updates for that Java application do make sense, getting security
  updates for obscure parts of the operating system underneath don't
  make as much sense there -- especially not given the amount of hoops
  we'd have to jump through to get the security updates on that machine
  was rather high (a rather paranoid firewall with NTLM-authenticated
  proxy-access only, with a rather complex bureaucracy required to get
  an exception...).
- To get slightly extreme: what's the value of security updates for a
  home system which is only connected to the rest of the world through a
  printer, a keyboard and a scanner? Are you going to implement RFC1149?

Of course security updates should be enabled by default, and I do agree
that it's sensible for the system to _ask_ to try to install security
updates even if there's no network. But there are cases where security
updates don't make much sense, and I do think that the current behaviour
("there's no working connection to the Internet, but what the heck,
we'll try anyway, and if it doesn't work, the admin will have to wait
for the connection to time out an insane number of times") is a bug.

-- 
<Lo-lan-do> Home is where you have to wash the dishes.
  -- #debian-devel, Freenode, 2004-09-22