[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Some myths regarding apt pinning

On Sat, Jan 25, 2003 at 12:39:32AM -0800, Osamu Aoki wrote:

> Hi,


> Thanks you for your interesting review of apt pinning and their security
> implications.  I think the real mith is "novice user can *upgrade*
> system to the *latest* unstable distribution by apt-get."
> I saw many unexperienced users try to *upgrade* to the unstable and
> getting into major truble.  I think advocating the use of apt pinning is
> useful to reduce their pains.

if _you know what you are doing_ you can use testing, you can use 
unstable, and you can use apt pinning.

I'm currently subscribed to the German Debian user list and it happens 
that people tell _novice users_ things like:

  Yes, Debian stable is horribly outdated, but with apt pinning you get
  the latest software.

A user who doesn't really know what he's doing should _never_ leave 

> If upgrade of libc6, Perl and Python are threat to the system, certainly
> apt pinning is not for those systems.  I thought the standard procedure
> for this type of environment is:
> 1. Put deb-src for unstable and/or testing
> 2. Use stable or testing environment
>       # apt-get build-dep randompackage
>       # apt-get source -b randompackage
> That is what I recommend in my reference for the servers if one has some
> compelling reasons to install a new version.

Been there, done that.

It often works and it's a better alternative to pinning since it doesn't
pull that many packages. But the older stable becomes more and more
packages have build dependencies on things like perl (>= 5.8),
python (>= 2.2), g++ (>= 3:3.2.1) or debhelper (>= 4.0.9). It's not 
impossible to work around these build dependencies to backport such a 
package to stable but far beyond the knowledge of the average user.

> Good point.  This tells us that the servers placed on Internet need to
> follow your guidance of using stable/security.  There is no argument on
> this end.
> But for most workstations, how fanatic we have to keep our system
> secure by simply installing security patches which are usually
> buffer overflow fixes.  These risks can be minimized setting up
> firewall and turning off risky services.  I also think without the
> other care, system will be insecure even with the latest secured
> packages.  Browsers and mail clients can be at risk but it is usually run
> as a normal user so damages are limited in GNU/Linux.  

If an attacker broke into an user account there are _many_ possibilities 
to get root access (e.g. alias "su" to something else and wait until the 
user calls it the next time).

> For all those new GNOME and KDE apps, I feel safer using the newer
> version since it has been out in public in shorter time which makes it
> less likely to get exploit assuming both version has same amount of
> bugs.  If you are fanatic about exploits, we should not be using these
> applications anyway :-)  But aren't they pretty. 

You know what you are doing.

If someone else wants to run unstable because he says he learns much 
about his system while trying to cope with the breakages he knows what 
he's doing, too.

But it's really wrong if people tell novice users to use apt pinning to 
get more recent software.



       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to: