Re: xz backdoor
Christian Kastner <ckk@kvr.at> writes:
> This is both out of convenience (I want my workstation to be based on
> stable) and precisely because of the afforded isolation.
I personally specifically want my workstation to be running unstable, so
I'm watching to see if that's considered unsafe (either, immediately,
today, or in theory, in the future).
If I have to use a stable host, I admit I will be sad. I've been using
unstable for my personal client and development (not server, never
exposing services to the Internet) systems for well over a decade (and,
before, that, testing systems for as long as I've been working on Debian)
and for me it's a much nicer experience than using stable. It also lets
me directly and practically dogfood Debian, which has resulted in a fair
number of bug reports.
(This is an analysis specific to me, not general advice, and relies
heavily on the fact that I'm very good at working around weird problems
that transiently arise in unstable.)
But this does come with a security risk because it means a compromised
package could compromise my system much faster than if I were using
testing or, certainly, stable. That's not a security trade-off that I can
responsibly make entirely for myself, since it affects people who are
using Debian as well. So I don't get to have the final decision here.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: