On Wed, Jun 19, 2002 at 10:04:35AM +0200, Florian Weimer wrote: > > This is the way it is with security, it is that way for some very good > > reasons. > > It's the current way with security, and this way is fundamentally > flawed. I'm sad that Debian now supports this process actively, even > though it requires breaking the Social Contract (at least its spirit). This is complete garbage. First of all, there is a community of vendors that tries to coordinate the release of updated packages when a vulnerability is discovered. Debian is a member of this community, and is therefore able to fix bugs *before* they're announced publically. If we were to start ignoring the efforts to coordinate security updates, then we would quickly be kicked out of that vendor community. If that happened, we would have no way to provide security fixes in a timely manner. All the other vendors would have a head start of potentially weeks or months, and Debian would be left to scramble for a fix once the CERT advisory is out. We would be doing a major disservice to our users if we did not coordinate with other distribution vendors in this manner. Have you noticed that CERT advisories come out at almost exactly the same time as vendors release their security updates? Do you honestly think that the vendors would be able to get security updates out that quickly if the CERT advisory was the first they'd heard of the problem? This system is most definitely not fundamentally flawed. It's the only responsible way to maintain a secure distribution. In the past, it was not done this way, and the current system grew out of frustration with the lack of coordination. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpA8O3M1nk0H.pgp
Description: PGP signature