[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Concerns about how the Security information is presented on Debian.org

One DD replied off-the-list, so I'll quote him without attribution:

> I understand your concern, but practicality is better then theory.
> (...) we will get notification when vulnerabilities are exploited, and so we get priority.

It's not so theoretical: 

"Google is aware that an exploit for CVE-2021-37973 exists in the wild."


This was 3 months ago. This hole is still open in Debian Stable, among many others.

>  (...) You will not find many exploitation on updated systems. And this  matter more then theory. We have a social contract to users, not to philosophers.

A good fraction of Debian 10 and 11 users are using Chromium as we speak. They probably had a look in debian.org/security at some point, but the page failed to warn them. Almost every Debian user I've interacted with mistakenly believes that Debian applies all relevant security updates to all packages.

It's pretty disappointing that of the 1000+ list subscribers no one agreed with me, publicly.

Anyway, I've said my piece, and I don't know what else I could add. I already sound like a broken record. Unsubscribing.

Sent with https://mailfence.com  
Secure and private email

Reply to: