[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: should debian comment about the recent 'ransomware' malware.

On Tue, May 16, 2017 at 11:24:16AM +0100, Ian Jackson wrote:
> I agree with your conclusion that we shouldn't make a public statement
> trying to capitalise on this, but:

> Russ Allbery writes ("Re: should debian comment about the recent 'ransomware' malware."):
> > This is not a case where Microsoft did something clearly wrong, or even
> > differently than we would have done, or where free software would have
> > helped significantly.

> I can't let this slide.

> If these systems were running Debian, big organisations like the
> British government could hire people to provide security support for
> their users, even for versions which we no longer support.  When the
> obsolete operating system is Windows, they can only hire Microsoft,
> who can set the price at whatever they think the market will bear.

> As it happens this particular vulnerability was indeed fixed by
> Microsoft, and that the UK NHS suffered so much is because of
> government and management failures[1].  But in general, users who for
> any reason are stuck on very old systems are in a much better position
> if those systems are free software.

On the gripping hand:

http://blog.koehntopp.info/index.php/1726-handling-wannacrypt-a-few-words-about-technical-debt/

I don't feel great about telling users that Free Software allows them to
ignore their lack of sound software lifecycle management by paying an
ever-increasing amount for security support, do you?

Now, Canonical has just announced an Extended Security Maintenance product
on top of the EOLed Ubuntu 12.04.  There's obviously money to be made
providing a genuine service to customers who find themselves in this
situation.  I just don't think we should celebrate that customers *do* find
themselves in this situation, since it reflects a failure up the chain.

> Also, Debian's engineering approaches mean it's easier to support
> obsolete environments, eg via chroots and/or mixed systems and/or
> selective backporting.
> 
> Ian.
> 
> [1] The NHS has been seriously underfunded and can't afford to hire
> enough good IT people (or indeed enough medics); and there has been a
> drive to replace IT systems with massive centralised IT disaster
> projects, which has starved existing systems of attention and
> resources.
> 

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: PGP signature

Reply to: