Re: Bug#752450: ftp.debian.org: please consider to strongly tighten the validity period of Release files
Christoph Anton Mitterer <firstname.lastname@example.org> writes:
> Even apart from the above problems, I doubt that mail is the appropriate
> mean for many admins to get notified about security upgrades.
If you don't read the mail, you're going to miss some really vital
information, like packages that we are no longer supporting. I am very
much opposed to giving people the impression they can just monitor the
security archive and not read the DSAs.
> To be honest, it's really awkward to see how much all this is apparently
> fought against.
I don't think people are fighting against you. I think people are
unconvinced that all of the machinery that you want to put in place is
worth it for some pretty marginal and esoteric security gains compared to
all the other things that they could be working on. And, on top of that,
you argue for them by writing encyclopedic tomes that are kind of hard to
Also, most of the people responding to you are not people who have the
power to implement the changes you want.
I don't know that you're going to like this advice, and I know it's kind
of unsatisfying, but you keep picking up causes that are structured so as
to require people other than you to go do work. Can you find a solution
to one of these security issues that you see that you can just fix
yourself? Like, in this case, a better tool for monitoring security
status of packages?
There is *way* more to be done in Debian than we can ever possibly
accomplish, particularly in the security arena. People are prioritizing.
You get to pick your own priorities, but so does everyone else. Your
priorities aren't in line with the people who have to make the changes you
want to see. That's super frustrating, but that doesn't mean they're
obligated to change their priorities. There are limited hours in the day;
some very good ideas are not going to get done. If you are getting
frustrated by being blocked on other people... work on things that don't
block on other people. After you do some of that, you'll often find that
other people are more willing to jump into shared projects with you.
>> I've run such production system clusters for many years now, and the
>> machinery and tools that you need to have in place to ensure that you
>> actually pushed out the security update to all systems will also
>> trivially catch downgrade attacks of the type that you're describing.
> I really wonder how you can do that with the above means.
I read the mailing list. In practice, it works fine.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>