[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits (Nybbles?) from the Vancouver release team meeting

On Mon, Mar 14, 2005 at 06:53:14PM -0600, John Goerzen wrote:
> On Tue, Mar 15, 2005 at 11:46:51AM +1100, Matthew Palmer wrote:
> > On Mon, Mar 14, 2005 at 04:27:50PM +0100, Matthias Urlichs wrote:
> > > If I had to think of a rationale for it, the only one I could think of
> > > would be "the architecture needs to be fast enough not to block security
> > > updates".
> > > 
> > > However, I consider an update whose $ARCH binaries are released a week
> > > later not to be a problem. 
> > 
> > I think a lot of users would consider it a problem.  Imagine, would you be
> > happy with a highly visible public announcement of every vulnerability
> > against your servers, a week before you got the fix?
> If I'm running m68k, I probably wouldn't care so much, and besides --
> Debian security announcements are rarely the first highly visible
> public announcement of a vulnerability.

But a DSA *is* the first highly visible announcement that *Debian* is
affected.  A general "this is a problem" announcement might make the
crackers cackle with glee, but a DSA with a "m68k, mips, and arm updates
will be forthcoming in a week or so" is a signal to brush off that list of
Debian boxes running the relevant arches you had been quietly collecting for
a couple of months.

It may not be a plausible scenario, considering that the vast majority of
attacks are very dumb automated "scan the bejesus out of everything" type
things, but it just feels to me like we'd be doing a little too much of the
bad guys' work for them.

- Matt

Attachment: signature.asc
Description: Digital signature

Reply to: