On Fri, 2021-02-12 at 14:40 +0100, Ola Lundqvist wrote: > The discussion is more or less whether packages should be allowed in > Debian in the first place. This should be discussed on some general > mailinglist, like debian-devel or debian-project. LTS cannot put > restrictions on what should enter Debian in general. Agreed, I encourage the team to start that discussion. > But most software can actually be quite badly written and this is not > a problem from a security standpoint. In an increasingly networked world it is hard to have poorly written software that doesn't interact with untrusted data at some point. > If the user use insecure software in the right way it can work just > fine. For example if you are using a text editor to write your own > software that editor can have all sort of software problems without > causing a security issue. In a world where people are cloning git repositories from strangers and loading the code locally, poorly written text editors can theoretically become security liabilities. > In many cases it is better to have some software that fit your > purpose even though they are not the best from a security point of > view. Agreed. > I maintained Vnc (version 3) for many years. Vnc (3) was not in any > way secure, at least it was not in the beginning. However with decent > firewalls around your network this is not really an issue. We need more sandboxing and other ways to use poorly written software that avoid their potential for security liabilities. -- bye, pabs https://wiki.debian.org/PaulWise
Attachment:
signature.asc
Description: This is a digitally signed message part