Re: Concerns about how the Security information is presented on Debian.org

To: debian-project@lists.debian.org
Subject: Re: Concerns about how the Security information is presented on Debian.org
From: Max WillB <maxwillb@mailfence.com>
Date: Tue, 21 Dec 2021 21:39:46 +0100 (CET)
Message-id: <[🔎] 1635898897.229046.1640119186622@ichabod.co-bxl>
In-reply-to: <[🔎] 1853607750.66744.1639955031888@ichabod.co-bxl>
References: <[🔎] 918398267.111981.1639723358162@ichabod.co-bxl> <[🔎] 3f1d15fb-22f1-f1a0-03be-7670649376e3@gmail.com> <[🔎] 1828074445.26812.1639931860520@ichabod.co-bxl> <[🔎] Yb95gN9rajOFA+uf@einval.com> <[🔎] 1853607750.66744.1639955031888@ichabod.co-bxl>

One DD replied off-the-list, so I'll quote him without attribution:

> I understand your concern, but practicality is better then theory.
>
> (...) we will get notification when vulnerabilities are exploited, and so we get priority.

It's not so theoretical: 

"Google is aware that an exploit for CVE-2021-37973 exists in the wild."

https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html

This was 3 months ago. This hole is still open in Debian Stable, among many others.

>  (...) You will not find many exploitation on updated systems. And this  matter more then theory. We have a social contract to users, not to philosophers.

A good fraction of Debian 10 and 11 users are using Chromium as we speak. They probably had a look in debian.org/security at some point, but the page failed to warn them. Almost every Debian user I've interacted with mistakenly believes that Debian applies all relevant security updates to all packages.

It's pretty disappointing that of the 1000+ list subscribers no one agreed with me, publicly.

Anyway, I've said my piece, and I don't know what else I could add. I already sound like a broken record. Unsubscribing.

-- 
Sent with https://mailfence.com  
Secure and private email

Reply to:

Follow-Ups:
- Re: Concerns about how the Security information is presented on Debian.org
  - From: Agata Erminia Pennisi <agataerminiapennisi@gmail.com>

References:
- Concerns about how the Security information is presented on Debian.org
  - From: Max WillB <maxwillb@mailfence.com>
- Re: Concerns about how the Security information is presented on Debian.org
  - From: Davide Prina <davide.prina@gmail.com>
- Re: Concerns about how the Security information is presented on Debian.org
  - From: Max WillB <maxwillb@mailfence.com>
- Re: Concerns about how the Security information is presented on Debian.org
  - From: "Andrew M.A. Cater" <amacater@einval.com>
- Re: Concerns about how the Security information is presented on Debian.org
  - From: Max WillB <maxwillb@mailfence.com>

Prev by Date: Re: Concerns about how the Security information is presented on Debian.org
Next by Date: Re: Concerns about how the Security information is presented on Debian.org
Previous by thread: Re: Concerns about how the Security information is presented on Debian.org
Next by thread: Re: Concerns about how the Security information is presented on Debian.org
Index(es):
- Date
- Thread