Re: Proposal for new Security subsection for non-US
On Sat, Jun 22, 2002 at 12:21:12AM -0500, Steve Langasek wrote:
> Hello Matthew,
> I'm glad to see others thinking along the same lines. However,
> precisely because of the nature of the issues surrounding such packages
> -- the need for frequent updates even when running stable, the fact that
> this data should *not* be shipped on CDs, the relatively small mirror
> requirements -- I believe such a repository for definition files could
> thrive outside of the main Debian archive network. I'm also rather
> confident that, at least initially, it will be a lot *easier* to
> implement this outside of the main Debian archive network. Debian is
> effective at a lot of things, but when you start talking about IDS
> updates, you really want something a little more flexible and a little
> less process-laden. ;)
> On Sat, Jun 22, 2002 at 03:55:46PM +1200, Matthew Grant wrote:
> > o Updating vulnerability databases does not work as generally the new
> > data on the 'Net is no longer compatible with the binaries in stable.
> > o New versions have new detection algorithms, capabilities, and
> > methodologies that are needed to deal with current and serious threats.
> I would hesitate to endorse providing Debian packages for such security
> software if the binaries themselves really need to be updated that
> frequently. Where binaries can be provided and managed through the
> normal unstable->testing->stable system -- complete with security
> updates from our world-class security team -- I think having
> asynchronous updates to definiton files is a great boon; but where the
> programs have to be updated frequently to remain useful, I would argue
> that the software is simply not mature enough to receive the Debian seal
> of approval at all.
> Thus, the responsibilities of the maintainers of such an archive would
> not be to backport the software to stable, but to backport the
> definition files to stable.
I would think of using xdelta, or similar to distrubute changes as
binary patches, since there could be a real server overload when a few
hundred administrators and mere people start downloading the brand new
deifinitions simultaneously. What about a public rsync? Maybe a usual
announce mailing list?
In my oppinion, a package created ten minutes ago can't go into stable.
Even if it is a simple virus/worm/blacklist/... definion. Bugs can crawl
anywhere. Therefore, I don't think the proposed type of packages can
ever be a part of stable. I guess it should be like: use unstable for
just those packages, and stable for all the rest.
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org