[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why back-porting patches to stable instead of releasing a new package.



On Sat, Aug 16, 2003 at 10:44:17AM -0400, Matt Zimmerman wrote:
> On Sat, Aug 16, 2003 at 12:45:14AM -0400, Andrew Pimlott wrote:
> 
> > Have you perhaps seen
> > 
> >     http://lwn.net/Articles/44117/
> 
> "Subscription required"

Sorry, I posted some alternate links in another message.

> > Debian's policy assures that all well-publicized
> > bugs get patched, but that doesn't mean that others don't slip through the
> > cracks.
> 
> As compared to what policy, exactly?  There exists no policy which can
> defend against unknown bugs.  Period.

The policy of fixing bugs regardless of whether they are known to be
security holes.  I know many people will dismiss this possibility
out of hand, and it would be a challenge (mostly in enforcing a
bug-fix-only restriction), but I think the result would be
significantly more secure and only slightly less stable.

> > A capable cracker targeting a Debian stable system has a simple algorithm:
> > browse upstream changelogs for closed holes that weren't publicized.
> 
> Show me a distribution where that _doesn't_ apply.  This is the reality of
> security.  If you can't afford to audit everything, you rely on others to
> own up to their bugs.

Yes, but I'm saying we shouldn't rely on upstream, or even the
Debian maintainer, to distinguish security-related bugs.  Then, at
least the cracker would have to find his own holes.

> > [1] Actually, I know of one about which I am communicating with the
> > maintainer.
> 
> ...but not the security team, apparently.

I thought it would be better to let the maintainer handle this, but
if I don't hear from him soon, I will inform the security team
myself.  As the bug has existed since woody was released, I don't
think it is urgent.

Andrew



Reply to: