Re: Concerns about how the Security information is presented on Debian.org
I'm only a Debian user, so wait some more expert answers.
Probably it is better that you ask these question to the security
mailing list or user list.
On 17/12/21 07:42, Max WillB wrote:
security.debian.org starts off with "Debian takes security very seriously. "
and goes on about how great Debian's security is. It stops short of explicitly
claiming that Debian provides all security updates for all packages included
in the distribution, but it implies these things.
I know that security is for the main repository, for non-free and
contrib is limited or absent.
A casual user, with no particular background in security, will come away not realizing the limitations, of which I'd like to point out two:
security is not an "word" with an absolute meaning, it depends on who
and in what occasion it is used. There is not an absolute security, but
the user must tune the grade of what he can see as secure in the case he
1. The vast majority of security vulnerabilities discovered in upstream code
are quietly fixed and never get written up as CVEs, so they don't even come up on the radar (1)
first of all you must understand that who report a security problem can
be a different person from who develop that software. So reporter can
think that there is a security problem and the developer can say it was
not or they not agree with the security severity. I have see some of
this cases and sometime the upstream do not "correct" what he thinks
that is not "wrong".
Second find a security problem cannot be so easy and so there can be
software with security bugs that no one know and that are involuntary
fixed with a new software version. I don't think this is a problem and I
don't think this is something that can be changed.
Note that this is a situation present on all software and also in all
object-productions and so on...
So I think that [¹] can be applied to any human work and have the same
result. For example your car can have security problems that are fixed
with the new models and no one have found they on your model...
2. Debian is too understaffed to backport even the CVEs
I don't know if this is true or not.
in widely used and security-critical packages like Chromium
chromium has been removed from testing and probably the security support
will be end (or is already ended?), see bug #998676
This is something the users deserve to know.
you can install debsecan and use it to know what software you have
installed and have open security bugs.
debsecan advise you also when you are using software, I think only in
main repository, that has no more security support or have a limited
Hiding this information from the users
I don't think anyone is hiding this information, all this information is
public and can be accessed by any user.
You can subscribe to the security mailing list you can monitor package
you have installed and are you using, ...
Morality aside, I think that if more Debian users were aware of the truth
I think that you are trying to blame Debian for something that is a
general "problem" of all human activities.
, they'd lobby for a rolling Debian release (Debian Unstable is kind of like that, but not really)
I think that the Debian way to release new versions is the best and I
will not it will be changed.
I have read of this rolling release in other distro and I not like it
and also I think this type or release can be a very bad thing for security.
(1) See for example https://arxiv.org/abs/2105.14565
What happened in 2013 couldn't have happened without free software
(He credited free software for his ability to help disclose the U.S.
government's far-reaching surveillance projects).