[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The New Security Build Infrastructure

On Wed, Jun 19, 2002 at 10:04:35AM +0200, Florian Weimer wrote:
> > This is the way it is with security, it is that way for some very good
> > reasons.
> It's the current way with security, and this way is fundamentally
> flawed.  I'm sad that Debian now supports this process actively, even
> though it requires breaking the Social Contract (at least its spirit).

This is complete garbage.  First of all, there is a community of vendors
that tries to coordinate the release of updated packages when a
vulnerability is discovered.  Debian is a member of this community, and
is therefore able to fix bugs *before* they're announced publically.  If
we were to start ignoring the efforts to coordinate security updates,
then we would quickly be kicked out of that vendor community.  If that
happened, we would have no way to provide security fixes in a timely
manner.  All the other vendors would have a head start of potentially
weeks or months, and Debian would be left to scramble for a fix once the
CERT advisory is out.  We would be doing a major disservice to our users
if we did not coordinate with other distribution vendors in this manner.

Have you noticed that CERT advisories come out at almost exactly the
same time as vendors release their security updates?  Do you honestly
think that the vendors would be able to get security updates out that
quickly if the CERT advisory was the first they'd heard of the problem?

This system is most definitely not fundamentally flawed.  It's the only
responsible way to maintain a secure distribution.  In the past, it was
not done this way, and the current system grew out of frustration with
the lack of coordination.


| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpz4T3omDtUd.pgp
Description: PGP signature

Reply to: