[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The New Security Build Infrastructure

On Wed, Jun 19, 2002 at 02:28:21PM +0100, Scott James Remnant wrote:
> Florian Weimer wrote:
> > Stephen Stafford <stephen@clothcat.demon.co.uk> writes:
> > 
> > >> By the way, handling security updates this way conflicts more and more
> > >> with the Social Contract in its current form.
> > >> 
> > >
> > > Didn't we already *have* this flamewar recently?
> > 
> > Well, that time, it was generally assumed that the Debian won't take
> > active measures to hide problems from its users.  This is no longer
> > the case.
> > 
> I don't think we should hide problems.
> If there's a potential exploit for a server, I want to know about it as
> soon as the developers do so I can shut down that server until they come
> up with a fixed version.
> Just because there isn't a fixed version yet, does not mean that there
> isn't a fairly knowledgeable hacker who's managed to exploit it.
> My 2p, anyway.

People seem to have missed the point that if the problem shows up *anywhere
else* - specifically, "immediate release" lists such as BugTraq - Debian is
permitted to publish fixed packages and information on the exploit, because
it's already public.

In practice, something like 90%+ of exploits seen "in the wild" are posted
to BugTraq within hours, because anything seen "in the wild" is considered
to be fair game for public notice.

Or, in other words, if hackers are using it actively enough to be more than
the remotest of threats... Debian can put out fixed packages. Even as the
policy stands now. This is *why* I asked the questions I did, in the prior
incarnation of the thread - to make sure this was the case.
Joel Baker                           System Administrator - lightbearer.com
lucifer@lightbearer.com              http://users.lightbearer.com/lucifer/

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: