Re: Upcoming Debian Releases

To: Stuart Lamble <lamble@yoyo.cc.monash.edu.au>
Cc: Debian Developers <debian-devel@lists.debian.org>
Subject: Re: Upcoming Debian Releases
From: "Brian C. White" <bcwhite@verisim.com>
Date: Wed, 27 Nov 1996 22:12:20 -0500
Message-id: <329D0314.34994E22@verisim.com>
References: <199611280225.NAA15773@aurora.cc.monash.edu.au>

> >> We can not make a release with a known security bug.  We either have to
> >> rebuild X 3.1 with a patch or ship with X 3.2 .
> >
> >Here is where we differ.  I don't like releasing it as such, but I
> >honestly believe that those people who use "stable" will not be at
> >much risk from this hole.
> 
> I disagree. One of _the_ most important things in any distribution is
> security. It is crucial that we not ship packages with known, severe,
> exploitable holes - otherwise, Debian's reputation will _really_ go down
> the gurgler.

Agreed.  It does however, need to have "exploitable" defined better...


> Here at Monash, I see a lot of people dialling in, using PPP, from Linux
> boxes. Many of these don't even have a root password! Today's standalone
> machine may well be tomorrow's networked box.. and if their distribution
> is to blame by including a known hole, they _will_ get themselves a
> different distribution, and discourage their friends from using Debian.

What you describe is a very serious problem as it allows anyone access
to their machine.

However, the X problem requires being able to log into their machine
in the first place.  That indicates that the user went through at least
a little trouble to make their machine multi-user.

The X security hole is not exploitable by anyone on the net.  It can
only be done by someone with a password.  (If I am mistaken on this,
please let me know -- I'd do a 180 faster than you can blink.)


> I could go on, but I firmly believe that it's better to slip another
> month and put 3.2 in Debian 1.2 than to ship "on time" with a security
> hole of this nature. We aren't Microsoft.

No, we're not.  We do, however, have the same reputation for being
late that Microsoft has.
                                             
                                          Brian
                                 ( bcwhite@verisim.com )
                                             
-------------------------------------------------------------------------------
     It's not the days in your life, but the life in your days that counts.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

Follow-Ups:
- Re: Upcoming Debian Releases
  - From: Stuart Lamble <lamble@yoyo.cc.monash.edu.au>

References:
- Re: Upcoming Debian Releases
  - From: Stuart Lamble <lamble@yoyo.cc.monash.edu.au>

Prev by Date: Re: Upcoming Debian Releases
Next by Date: Re: Upcoming Debian Releases
Previous by thread: Re: Upcoming Debian Releases
Next by thread: Re: Upcoming Debian Releases
Index(es):
- Date
- Thread