[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Thoughts about information policy

Dear Paweł,

I'm replying as a subscriber to -publicity.  Reply follows inline:

Paweł Starzyński <pawel.starzynski@tutanota.com> writes:

> This situation has put me into deep concern- I don't want to constantly think about my PC. I want to perform regular updates and that's it. Am I obligued to follow web forums?

Not obliged, no, but I think the question is how worried one is (or is
paid to worry) about zero-day vulnerabilities.  The nature of these
means that some will always be ahead of the fixes...there's a pretty
broad spectrum of definitions of "enough" in "it's secure enough".
Ultimately it's about finding a balance between obligations/peace of
mind, reasonable risk, and justified effort.  An air-gapped machine in a
faraday cage might not be secure enough for some things.

Assuming the use of Debian stable, opting into the use of
-proposed-updates (which, once tested, become -security updates) reduces
the latency of receiving the fixes.  -proposed-updates does introduce
regression potential, but that's technically true for any updates ;-)

Beyond that, security is a process using many methods, and unfortunately
security consciousness always costs time/energy (or money to pay
someone).  "Secure" is definitely a spectrum and not a binary state, in
every case.  More on this later!

> Reddit users adviced me to follow Debian Security Tracker and subscribe to security-announce mailing list. Former lists vulnerabilities not only for chromium but also for linux kernel, firefox-esr etc.- I don't know where is the point when I shouldn't use certain package at all. Latter solution seems unimportant to me- messages inform about found vulnerabilities and advice to perform an update. For me it's enough to perform apt update && apt upgrade commands daily.
> Security-announce mailing list would have more sense to me if it contained warnings about not using certain package at all- warning on chromium wiki site is certainly insufficient. Then it should be highly recommended to subscribe to such a list immediately after install.

It sounds like you may be interested in "reducing the attack surface" by
uninstalling software :-)

> Another, maybe even better option- creating a newsletter- something like Ubuntu's Weekly Newsletter or Fedora Magazine.

Is the package "debsecan" something you'd be interested in using?

  Description: Debian Security Analyzer
   debsecan is a tool to generate a list of vulnerabilities which affect
   a particular Debian installation.  debsecan runs on the host which is
   to be checked, and downloads vulnerability information over the
   Internet.  It can send mail to interested parties when new
   vulnerabilities are discovered or when security updates become

Debsecan saves time compared to digest-style emails about the whole
archive, forums, and vulnerability trackers.  If a piece of software
that you use frequently appears in these emails, and if its
vulnerabilities don't get fixed, then this could be used as an indicator
for software that you might not want on your system.  Alternatively, it
may be a case where the Debian maintainers would appreciate receiving a
bug report.

If you're concerned that updates to the -security suite don't reach you
fast enough, a moderate approach may be to enable pinning for
-proposed-updates, then upgrade individual packages identified by debsecan.

> Looking forward to hearing from you.
> Regards,
> Paweł Starzyński 

I hope that helps!

Attachment: signature.asc
Description: PGP signature

Reply to: