[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: What can Debian do to provide complex applications to its users?

On Sun, Feb 18, 2018 at 11:47:52PM +0100, Vincent Bernat wrote:
>  ❦ 18 février 2018 23:53 +0200, Adrian Bunk <bunk@debian.org> :
> >> Who said we cannot properly maintain this stuff? And where do you
> >> think our expected level of quality (whatever that is) will not be
> >> reached?
> >
> > In the year 2018, any kind of "properly maintain" includes security support.
> >
> > Please elaborate how Debian can provide security support for packages 
> > like gitlab and all their dependencies in buster until mid-2022.
> >
> > If Debian cannot provide security support for the lifetime of a stable 
> > Debian release, it is better for our users when they are installing the
> > software from upstream with the security support provided by upstream.
> Debian is not only about security support. We provide packages without
> security support. We also have backports that come without security
> support either. This is still better than installing random packages
> made by random people which may or may not integrate properly into
> Debian.

The software might integrate properly into Debian - and allow everyone 
on the internet to take control of your computer.

On the server side we are talking about software like Node.js or gitlab.

On the desktop side the MUA that comes with our default desktop renders
HTML emails using a web engine that is not security supported by Debian.

An example what "no security support" means in practice:

If you are running Debian stable and haven't yet installed the
LibreOffice security updates Debian published a few days ago,
then opening a document is sufficient to make LibreOffice silently
send your gpg and ssh private keys to whatever server the author
of that document wants - no dialog, no warnings, you won't notice.

If Debian would provide LibreOffice without security support,
how many of our users would have been aware of this problem?



       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to: