Re: Debian glibc security update

To: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
Cc: debian-devel@lists.debian.org, letters@lwn.net
Subject: Re: Debian glibc security update
From: Branden Robinson <branden@debian.org>
Date: Thu, 17 Jan 2002 16:50:16 -0500
Message-id: <[🔎] 20020117215016.GL2879@deadbeast.net>
Mail-followup-to: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>, debian-devel@lists.debian.org, letters@lwn.net
In-reply-to: <[🔎] 87elko6a15.fsf@CERT.Uni-Stuttgart.DE>
References: <[🔎] 20020117185617.GJ2879@deadbeast.net> <[🔎] 87elko6a15.fsf@CERT.Uni-Stuttgart.DE>

On Thu, Jan 17, 2002 at 08:40:38PM +0100, Florian Weimer wrote:
> > I don't know what calendar the LWN editorial staff uses, but where I
> > live, the duration from December 14th to January 13th (the day the
> > Debian security advisory was released), more closely resembles one month
> > than two.  (I would agree that falling behind even Red Hat is pretty
> > damning in the public eye, though.)
> 
> The vulnerability was know before 2001-11-29 (IIRC); that day, the fix
> was committed to the public GNU libc CVS at anoncvs.cygnus.com
> (nowadays Red Hat).
> 
> > Perhaps your point would be better taken if your arithmetic were more
> > accurate?
> 
> I don't know when Debian was notified of the problem, but it was
> probably before 2001-12-14.

If LWN is using Red Hat as the yardstick with which to excoriate Debian
for the untimeliness of its security updates, then 2001-12-14 is the
date in question.

It would be a very different situation if LWN has said, "well, Red Hat
was the best of a bad lot; it took them 2 weeks to get out a security
fix, whereas Debian took six."

I *still* don't know where this "2 months" figure is coming from.  Maybe
there was someone who knew about glibc's security vulnerability on
November 13th, but carry anything like this back far enough and you
eventually have an unfalsifiable hypothesis.  It seems to make sense to
start the clock running when the first vendor releases a security fix.

That said, Red Hat has been known to jump the gun on attempts at
coordinated releases across the various Linux and *BSD vendors.  They
always claim it's an honest mistake.  So perhaps starting the clock
running at the first released advisory isn't such a good metric either,
because in such a case it's not the other vendors' fault that they're
"late" -- one of their partners defected from the agreement.

Alternatively, we could conceptualize good security in terms more
complex than "penis war".  Imagine that.

-- 
G. Branden Robinson                |     If God had intended for man to go
Debian GNU/Linux                   |     about naked, we would have been
branden@debian.org                 |     born that way.
http://people.debian.org/~branden/ |

Attachment: pgpxRDdwMafUs.pgp
Description: PGP signature

Reply to:

References:
- Debian glibc security update
  - From: Branden Robinson <branden@debian.org>
- Re: Debian glibc security update
  - From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>

Prev by Date: Re: [kde] setting an /opt precedent
Next by Date: Re: [kde] setting an /opt precedent
Previous by thread: Re: Debian glibc security update
Next by thread: please stop the /opt discussion
Index(es):
- Date
- Thread