[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Concerns about how the Security information is presented on Debian.org


I'm only a Debian user, so wait some more expert answers.
Probably it is better that you ask these question to the security mailing list or user list.

On 17/12/21 07:42, Max WillB wrote:

security.debian.org starts off with "Debian takes security very seriously. "
and goes on about how great Debian's security is. It stops short of explicitly
claiming that Debian provides all security updates for all packages included
in the distribution, but it implies these things.

I know that security is for the main repository, for non-free and contrib is limited or absent.

A casual user, with no particular background in security, will come away not realizing the limitations, of which I'd like to point out two:

security is not an "word" with an absolute meaning, it depends on who and in what occasion it is used. There is not an absolute security, but the user must tune the grade of what he can see as secure in the case he is analyzing.

1. The vast majority of security vulnerabilities discovered in upstream code
are quietly fixed and never get written up as CVEs, so they don't even come up on the radar (1)

first of all you must understand that who report a security problem can be a different person from who develop that software. So reporter can think that there is a security problem and the developer can say it was not or they not agree with the security severity. I have see some of this cases and sometime the upstream do not "correct" what he thinks that is not "wrong". Second find a security problem cannot be so easy and so there can be software with security bugs that no one know and that are involuntary fixed with a new software version. I don't think this is a problem and I don't think this is something that can be changed.

Note that this is a situation present on all software and also in all object-productions and so on...

So I think that [¹] can be applied to any human work and have the same result. For example your car can have security problems that are fixed with the new models and no one have found they on your model...

2. Debian is too understaffed to backport even the CVEs

I don't know if this is true or not.

in widely used and security-critical packages like Chromium

chromium has been removed from testing and probably the security support will be end (or is already ended?), see bug #998676

This is something the users deserve to know.

you can install debsecan and use it to know what software you have installed and have open security bugs. debsecan advise you also when you are using software, I think only in main repository, that has no more security support or have a limited security support

Hiding this information from the users

I don't think anyone is hiding this information, all this information is public and can be accessed by any user. You can subscribe to the security mailing list you can monitor package you have installed and are you using, ...

Morality aside, I think that if more Debian users were aware of the truth

I think that you are trying to blame Debian for something that is a general "problem" of all human activities.

, they'd lobby for a rolling Debian release (Debian Unstable is kind of like that, but not really)

I think that the Debian way to release new versions is the best and I will not it will be changed. I have read of this rolling release in other distro and I not like it and also I think this type or release can be a very bad thing for security.


(1) See for example https://arxiv.org/abs/2105.14565

What happened in 2013 couldn't have happened without free software
(He credited free software for his ability to help disclose the U.S. government's far-reaching surveillance projects).
Edward Snowden

Reply to: