[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits (Nybbles?) from the Vancouver release team meeting

Matthew Palmer wrote:
> But a DSA *is* the first highly visible announcement that *Debian* is
> affected.  A general "this is a problem" announcement might make the
> crackers cackle with glee, but a DSA with a "m68k, mips, and arm updates
> will be forthcoming in a week or so" is a signal to brush off that list of
> Debian boxes running the relevant arches you had been quietly collecting for
> a couple of months.

Come on, this is a non-issue:
The huge majority of remotely exploitable security bugs are related to
stack or heap overflows. Anyone clever enough to write specific exploits
for fringe architectures (as using the usual "might work on Fedora/i386"
PoC exploits posted to full-disclosure will not suffice) will have no
problems to deduce whether Debian is affected once the initial advisory
from distributions with a more relaxed security process is available
(such as Gentoo).

In the contrary I assume that currently the security mechanism for
alls archs is hindered by the fact that the slowest arch sets the pace.
There has been a XSF-SVN commit for the latest libxpm vulnerability some
days ago, which hasn't culminated into a DSA yet. How long does an
xfree86 build take on arm, mips or m68k? 


Reply to: