[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Concerns with Open/OS Corporate Linux ads?

Scripsit Benjamin Mesing <ben-ml@gmx.net>

>>  - we have our own security team

> That isn't negated by their add, in fact they state that Debian is
> secure. And Debian has lacked security support for new software for a
> long time (I believe testing is supported now).

We also shouldn't fool ourselves into thinking that a commercial
repackager with a real dedication to security support (say, by hiring
a handful of full-time employees to keep it current, and also by
restricting their attention to one or a few architectures) could not
beat _our_ overworked, underpaid (etc) security team.

As a random data point, take DSA-1116 (a buffer overrun with no known
exploit, in a quite popular piece of desktop software), where I happen
to have a timeline:

July 1 - reported privately to security team, with patch
July 6 - bug goes public through upstream's BTS, Debian bug filed
July 7 - upstream releases fixed version
July 7 - fixed in NMU to unstable
July 13 - bug reaches front of security team's attention queue.
          DSA and update to sarge prepared, but is stalled by some
          buildd problem on a minor architecture.
July 18 - fix propagates from unstable to testing
July 21 - fixed in sarge, DSA released

It is not my point to criticize the security team; I have no reason to
think they are not doing an absolutely fantastic job within the
externally-imposed constraints of volunteer work, unstable supplies of
free time in which to do the work, donated autobuilder machines spread
around the world and run by a different set of volunteers, and so on
and so forth.

But it is also clear that a business which makes it a strategic
priority to compete on the timeliness of security updates *could* well
provide some real value over our stable and testing suites here, even
- as in this case - when we have a 5-day head start.  Whether the
company in question *is* actually such a business or it is just making
empty promises, can of course not be discerned just by reading their

> I do not think that Debian as a whole should take action, but you could
> sent an email to them and tell them that they've hurt your feelings (and
> you, as opposed to me, form a part of Debian).

But please take care to express that it is an individual that you
complain, rather than as a representative of Debian as such.

Henning Makholm          "Jeg har tydeligt gjort opmærksom på, at man ved at
                   følge den vej kun bliver gennemsnitligt ca. 48 år gammel,
               og at man sætter sin sociale situation ganske overstyr og, så
           vidt jeg kan overskue, dør i dybeste ulykkelighed og elendighed."

Reply to: