[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The New Security Build Infrastructure

Scott James Remnant set us up the following:
> Stephen Frost wrote:
> 
> > So, which would you prefer, for there to be a package ready when you
> > find out, or for there to not be one?
> > 
> From a user point of view, the latter.  I'd rather pull a service down
> because of an exploit, and wait for a package than to not know about an
> exploit for one of my systems.

that works once.

currently:
  t=0   researcher finds security vulnerability in foo
  t=1   researcher alerts vendors, including debian, indicates public
        dislosure at t=5
  t=4   vendors have new pathed packages ready, including debian
  t=5   researcher releases information
  t=5.1 vendors release patched packages.

repeat ad infinitum

proposal:
  t=0   researcher finds security vulnerability in baz
  t=1   researcher alerts vendors, including debian, indicates public
        dislosure at t=5
  t=1.1 debian releases PUBLIC advisory
  t=1.2 researcher flames debian, other vendors flame debian, vendors
        scramble to make half-ass patched packages ready, including
	debian.
  t=2..4 half assed patches ready from vendors, as they come pouring in.
        debian with 11 architectures comes in dead last
  t=10  researcher finds security vulnerability in geewiz
  t=11  researcher alerts vendors, _excluding_ debian, indicates public
        dislosure at t=15
  t=14  vendors, _excluding_ debian, have patched packages ready
  t=15  researcher releases information to public
  t=15.1 vendors, _excluding_ debian, release patched packages.
  t=15.2 debian scrambles to make patches.
  t=18  after building on 11 architectures, debian releases patched
        packages
  t=18.1 users flame debian for being so slow, by  allowing them to run
        with _known_ _vulnerable_ services.

repeat t=10 to t=18.1 ad inifinitum

so you get early notification _once_, or you get timely patches _each
time_.  take your pick.

proof of concept: (if you don't remember details, google can help)
one vendor (redhat) took a lot of heat by doing exactly that: they
accidentaly released a vulnerability notification early. a lot of people
were very unhappy by it. could you imagine the backlash that debian
would get, if debian did that as _a_ _matter_ _of_ _policy_?

http://www.infosecuritymag.com/2001/dec/digest03.shtml

-john


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: