[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Support for insecure applications

On Fri, 2021-02-12 at 14:40 +0100, Ola Lundqvist wrote:

> The discussion is more or less whether packages should be allowed in
> Debian in the first place. This should be discussed on some general
> mailinglist, like debian-devel or debian-project. LTS cannot put
> restrictions on what should enter Debian in general.

Agreed, I encourage the team to start that discussion.
> But most software can actually be quite badly written and this is not
> a problem from a security standpoint.

In an increasingly networked world it is hard to have poorly written
software that doesn't interact with untrusted data at some point.

> If the user use insecure software in the right way it can work just
> fine. For example if you are using a text editor to write your own
> software that editor can have all sort of software problems without
> causing a security issue.

In a world where people are cloning git repositories from strangers and
loading the code locally, poorly written text editors can theoretically
become security liabilities.

> In many cases it is better to have some software that fit your
> purpose even though they are not the best from a security point of
> view.


> I maintained Vnc (version 3) for many years. Vnc (3) was not in any
> way secure, at least it was not in the beginning. However with decent
> firewalls around your network this is not really an issue.

We need more sandboxing and other ways to use poorly written software
that avoid their potential for security liabilities.



Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: