[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The New Security Build Infrastructure

On Wed, Jun 19, 2002 at 10:04:35AM +0200, Florian Weimer wrote:
> Stephen Stafford <stephen@clothcat.demon.co.uk> writes:
> 
> >> By the way, handling security updates this way conflicts more and more
> >> with the Social Contract in its current form.
> >> 
> >
> > Didn't we already *have* this flamewar recently?
> 
> Well, that time, it was generally assumed that the Debian won't take
> active measures to hide problems from its users.  This is no longer
> the case.

Oh dear.  Let's look at this logically shall we?

There are two possible things we can do.  

We can respect the confidentiality of advance notive for security
vulnerabilities that are not in the wild.  In this case we have the chance
to build and test packages which fix thee vulnerability before the exploit
is reported to the wild.  This means that it is (say) a week or maybe two
before the world gets to hear about a potential exploit.  The standard rule
is that as long as it is relatively certain that the exploit is not known in
the wild then the privacy of the advance notice is maintained.  This gives
everyone a chance to fix it before the bad guys hear of it.

Alternatively we could announce the vulnerability to the world the second
wee hear of it.  If we start to do that then we will no longer get that week
or two week period to make fixed packages available, so we will hear about
it perhaps two weeks after the other security teams have...and we only get
to hear of it at the same time as our users do.

What this MEANS is that our users get not one single day's difference as to
when they hear of a problem....we (well, Debian security team, so not me
personally) just don't get those few days advance notice to have a fix
prepared.

> 
> > This is the way it is with security, it is that way for some very good
> > reasons.
> 
> It's the current way with security, and this way is fundamentally
> flawed.  I'm sad that Debian now supports this process actively, even
> though it requires breaking the Social Contract (at least its spirit).
> 

I fail to see how it is flawed.  You have not provided a convincing
argument.  Stop thinking of it as "hiding bugs" and start thinking of it as
"being good citizens of the security community so we can better serve our
users".


> > We either accept it, or we don't *get* the advance notice and chance
> > to release security updates.  That *would* conflict with our social
> > contract as it would most definitely *not* be looking after the best
> > interests of our users.
> 
> Maybe we should poll our users if they want to have Sun Java in main?

I fail to see how this is even remotely relevant.  The reason that J2SE is
not in Debian is legal...we should NOT agree to indemnify Sun against some
unspecified third party suing them.  It has nothing whatsoever to do with
the issue at hand.  Have you actually read the J2SE license?

Stephen


-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: