[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Concerns about how the Security information is presented on Debian.org

Davide Prina <davide.prina@gmail.com>wrote:

> you must understand that who report a security problem can be a different person 

The point is, to quote the paper:

"a vast majority of vulnerabilities and their corresponding security patches remain beyond public exposure"

Vulnerabilities are fixed in fresh versions of software. The versions in Stable stay vulnerable, even if all CVEs are reported to Debian (which I don't think is the case) and even if they are all fixed quickly (which is definitely not the case)  It's a limitation of Debian's and RH's approach, compared to the rolling-release approach. This is one of the two things I mentioned that debian.org/security is not telling you.

> chromium has been removed from testing

That doesn't help people who trusted debian.org/security and are running it.

Sent with https://mailfence.com  
Secure and private email

Reply to: