[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Concerns about how the Security information is presented on Debian.org

On Monday, 20 December 2021 00:03:51 CET Max WillB wrote:
> 3. Inform the users that using anything but the latest version of the kernel
> (2) and other packages comes with inherent risks and explain them (delays
> in backporting fixes and known vulnerabilities not being disclosed)
> (2) https://security.googleblog.com/2021/08/linux-kernel-security-done-> right.html

If you (only) look through the Debian kernel bugs, you'll come across various 
bugs that say "It was working in version LTS-N, but it broke in LTS-N+1". so 
continuously updating to the latest version is anything but risk-free.
If you install a new kernel version, you must reboot. While that may not be a 
problem for you and me, it is a problem for systems that need to be up 24/7.
A lot of people likely think "I have better things to do with my time then 
constantly updating my kernel and rebooting my systems".

The blog author lists various ways in which the process can be improved. The 
thing is that those things have been known for *decades*. Yet 'somehow' they 
have not been fixed. He talks rather casually about 'just throwing more 
resources' at the problem. Yet a massive company as Google with essentially 
unlimited resources/budgets hasn't been able to fixed it.
Maybe those issues aren't as easy to fix as the author makes it seem?

And that is with the Linux kernel, which by FAR has the largest base of 
contributors, including companies paying people to work on it full-time.
But it's still just ONE component in a computer system.
For 99+% of the other components in a computer system, the chances that all 
the improvements mentioned in the blog are applied is essentially NULL.

As much I wish it wasn't the case, https://xkcd.com/2347/ is soo true.

Running Unstable or some rolling release has benefits. And downsides/risks.
You get bug fixes the first. And also new bugs.

There is a saying connected to Unstable/Sid:
"If it breaks, you get to keep all pieces"
I'm pretty confident that I can recover from such issues, so I do run Sid. That 
way I can encounter such issues, report them and possibly help fix them, to 
reduce the chances that less computer-savvy persons run into them.
I find Stable boring. Others RIGHTFULLY say, "boring is good".

When you look at things from a single perspective, things often seem easier 
then they actually are.

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: