Re: Why back-porting patches to stable instead of releasing a new package.

To: Debian Developers <debian-devel@lists.debian.org>
Subject: Re: Why back-porting patches to stable instead of releasing a new package.
From: Matt Zimmerman <mdz@debian.org>
Date: Sat, 16 Aug 2003 12:38:00 -0400
Message-id: <[🔎] 20030816163800.GO24636@alcor.net>
Mail-followup-to: Debian Developers <debian-devel@lists.debian.org>
In-reply-to: <[🔎] 20030816145635.GA13200@pimlott.net>
References: <20030715125624.GL11400@alcor.net> <20030717151620.GA23268@debian.org> <20030721174232.GL13924@alcor.net> <20030722122252.GC24699@debian.org> <20030722223606.GB15133@alcor.net> <20030723081555.GA32048@debian.org> <20030723131001.GH15582@alcor.net> <[🔎] 20030816044514.GB6887@pimlott.net> <[🔎] 20030816144417.GK24636@alcor.net> <[🔎] 20030816145635.GA13200@pimlott.net>

On Sat, Aug 16, 2003 at 10:56:35AM -0400, Andrew Pimlott wrote:

> On Sat, Aug 16, 2003 at 10:44:17AM -0400, Matt Zimmerman wrote:
> > As compared to what policy, exactly?  There exists no policy which can
> > defend against unknown bugs.  Period.
> 
> The policy of fixing bugs regardless of whether they are known to be
> security holes.  I know many people will dismiss this possibility out of
> hand, and it would be a challenge (mostly in enforcing a bug-fix-only
> restriction), but I think the result would be significantly more secure
> and only slightly less stable.

So if maintainers prepare thoughtful updates for stable, with clear and
documented changes which fix real bugs and nothing more, then we should
accept them into stable?

That is what proposed-updates is.  Most maintainers don't use it.

> > Show me a distribution where that _doesn't_ apply.  This is the reality
> > of security.  If you can't afford to audit everything, you rely on
> > others to own up to their bugs.
> 
> Yes, but I'm saying we shouldn't rely on upstream, or even the Debian
> maintainer, to distinguish security-related bugs.  Then, at least the
> cracker would have to find his own holes.

For almost every bug we have fixed in woody, even if we had somehow pushed
every upstream change into stable since it was released, we would still have
been vulnerable.  Security researchers, of all kinds, can and do find new
bugs all the time.

> > ...but not the security team, apparently.
> 
> I thought it would be better to let the maintainer handle this, but if I
> don't hear from him soon, I will inform the security team myself.  As the
> bug has existed since woody was released, I don't think it is urgent.

The urgency of a bug does not, in general, bear any direct relationship to
its age.  Consider the local root vulnerabilities in the kernel which
existed from 2.2 through 2.4.  If the bug is significant enough to warrant a
fix in stable, please send a note to team@security.debian.org with the
details.

-- 
 - mdz

Reply to:

Follow-Ups:
- Re: Why back-porting patches to stable instead of releasing a new package.
  - From: Andrew Pimlott <andrew@pimlott.net>

References:
- Re: Why back-porting patches to stable instead of releasing a new package.
  - From: Andrew Pimlott <andrew@pimlott.net>
- Re: Why back-porting patches to stable instead of releasing a new package.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: Why back-porting patches to stable instead of releasing a new package.
  - From: Andrew Pimlott <andrew@pimlott.net>

Prev by Date: Re: Happy Birthday
Next by Date: Bug#205727: ITP: rss-glx -- Really Slick Screensavers GLX Port
Previous by thread: Re: Why back-porting patches to stable instead of releasing a new package.
Next by thread: Re: Why back-porting patches to stable instead of releasing a new package.
Index(es):
- Date
- Thread