Re: The New Security Build Infrastructure
Scott James Remnant set us up the following:
> Stephen Frost wrote:
>
> > So, which would you prefer, for there to be a package ready when you
> > find out, or for there to not be one?
> >
> From a user point of view, the latter. I'd rather pull a service down
> because of an exploit, and wait for a package than to not know about an
> exploit for one of my systems.
that works once.
currently:
t=0 researcher finds security vulnerability in foo
t=1 researcher alerts vendors, including debian, indicates public
dislosure at t=5
t=4 vendors have new pathed packages ready, including debian
t=5 researcher releases information
t=5.1 vendors release patched packages.
repeat ad infinitum
proposal:
t=0 researcher finds security vulnerability in baz
t=1 researcher alerts vendors, including debian, indicates public
dislosure at t=5
t=1.1 debian releases PUBLIC advisory
t=1.2 researcher flames debian, other vendors flame debian, vendors
scramble to make half-ass patched packages ready, including
debian.
t=2..4 half assed patches ready from vendors, as they come pouring in.
debian with 11 architectures comes in dead last
t=10 researcher finds security vulnerability in geewiz
t=11 researcher alerts vendors, _excluding_ debian, indicates public
dislosure at t=15
t=14 vendors, _excluding_ debian, have patched packages ready
t=15 researcher releases information to public
t=15.1 vendors, _excluding_ debian, release patched packages.
t=15.2 debian scrambles to make patches.
t=18 after building on 11 architectures, debian releases patched
packages
t=18.1 users flame debian for being so slow, by allowing them to run
with _known_ _vulnerable_ services.
repeat t=10 to t=18.1 ad inifinitum
so you get early notification _once_, or you get timely patches _each
time_. take your pick.
proof of concept: (if you don't remember details, google can help)
one vendor (redhat) took a lot of heat by doing exactly that: they
accidentaly released a vulnerability notification early. a lot of people
were very unhappy by it. could you imagine the backlash that debian
would get, if debian did that as _a_ _matter_ _of_ _policy_?
http://www.infosecuritymag.com/2001/dec/digest03.shtml
-john
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: