[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian 3.0r1

On Thu, Jul 25, 2002 at 08:07:03PM +0200, Martin Schulze wrote:
> Russell Coker wrote:
> > I believe that the principle of only fixing security bugs in point releases
> > is best upheld by allowing new packages that provide extra security features
> > to be added.
> Nice try Russell, but as far as I know, the SE Linux kernel is neither
> the default kernel on a Debian system nor do all regular Debian

Russells point wasn't so much that the newest version of SE-Linux needs
to replace the old obsolete version of SE-Linux already in woody. You
are quite right, SE-Linux is still experimental, and the fact that
the version in woody is not recommended for use any more isn't really
important. If only because SE-Linux isn't really useable in unstable
yet either (not until it gets ported to non-i386).

However, there is security software that is non-experimental in nature
that is already in woody.

eg. amavis, scannerdaemon and clamav.

If this packages are not kept up-to-date on user's systems, then the
result could be that a new virus gets into (or perhaps even worse: out
of) a sites computer network due to a minor bug in one of the programs
that prevents in from checking for viruses properly (and yes, I have
already discovered and worked around several on these types of bugs;
although I don't know if woody was affected... Not to mention the virus
database in woody is static and already obsolete, but in unstable you
get the option to automatically download the latest version).

> packages interact with it properly.  Hence, with the argument of above

Just for the record (although this is getting off-topic for this
thread), it is not so much a point of "packages not interacting properly
[with SE-Linux]", you could install SE-Linux without any changes to
other packages. It would be slightly difficult though, as you won't be
able to check the domain of processes with ps, won't be able to check
the label of files with stat, and the label for user level processes
would have to be static, and cannot be different for different users
(reason why login, ssh, {x,k,g}dm need to be altered). Still, this might
be adequate for some simpler setups (eg. dedicated firewalls/gateways).

> you just tried to lead the user to false assumptions by implying that
> including selinux would make the release more secure, while it isn't
> even compiled for all 11 architectures.  *cough* Do I need to say
> more?

Then it is OK to have packages in woody that both the maintainer and
upstream authors recommend you should not use. eg. because the version
in woody is old, obsolete, and contain numerous potential security

Even though this software is still experimental and the change won't
affect any *real* users?
Brian May <bam@debian.org>

To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: