Re: security in testing

[Sven Luther <sven.luther@wanadoo.fr>]

On Fri, May 16, 2003 at 12:01:54PM +0200, Gerfried Fuchs wrote:
> [Removed debian-private from Cc-List, there is *no* need to duplicate
>  the thread there]
> 
> On Fri, May 16, 2003 at 07:58:44AM +0200, Sven Luther wrote:
> >   2) a way for people for which stable is too outdated to run more
> >      advanced software, without suffering from the breakages of unstable.
> >      By saying this we clearly imply that it is better to run testing
> >      than unstable.
> 
>  Sure, but we _still_ tell people that care for security *to run
> stable*.  Noone was ever told that unstable is secure and should be used
> for critical services....

Sure, but the main point is that unstable is better security wise than
testing, and very much so. If a security problem appears in unstable, it
is often because it was only discovered recently, and upstream at least
will care enough to fix it quickly, or maybe the maintainer will take
action, or even the security team can help some when it does the stable
security fix, be it only by informing the maintainer about the problem.

So a security hole in unstable offers potential attackers a much smaller
window of oportunity to exploit it, while such security holes in testing
remain there for weeks or month, and we even document them so potential
attackers have a easy time exploiting them.

> >      Sure, this was before we had time to test testing,
> >      and before we became aware of the big stalls implied, and the fact
> >      that security wise testing is worse than unstable.
> 
>  And still, unstable _is_ bad according to security. We do NOT encourage

Sure, but orders of magintude less so than testing.

> people to run unstable for secure machines, so why do you think that
> telling people to rather use testing than unstable for not-secure things
> is a bad idea? Just take the long time that the kde2 package in unstable
> were still vulnerable because their maintainers thought that kde3 will
> make it soon into unstable (or whatever the real reason was -- the
> reason doesn't really matter, so don't pin me down on that).

Yes, unstable has the same problem, but well, it is unstable, and again,
the windows of oportunity is less so. Also, if the maintainer wanted, he
could fix the problem easily enough, while for testing, altough it seem
to be possible, i bet most of the maintainers where not aware of it,
and it needs the intervention of the RM anyway.

> > This second goal is today a total failure,
> 
>  I don't think so.  Security was never part of that second goal.

Maybe, but then i tried running testing instead of unstable on my work
box some time back, and encountered more problems than with unstable.
Also, the lack of new packages makes running testing not worth the
trouble.

> > I still think that the second goal can be achieved. Probably the fact to
> > use testing-proposed-update for security and RC bugs would be enough, i
> > don't know, only experience will tell.
> 
>  Some people stepping forward to do actual work on that part would be
> needed, than it might be enough. People repeating the same phrases and
> accuses over and over again are not enough, though.

Yes, but before someone steps for and does this, a consensus need to be
found on what to do, the RM at least has to green-light it, and it
should be announced on debian-devel-announce so all the maintainer are
aware of it and the rules that apply to doing it.

All the rest is just maintaining the status quo, while making it more
difficult for people wanting to change things to do it or even attain
consensus on the best way to do it.

Friendly,

Sven Luther