Dear Paweł, I'm replying as a subscriber to -publicity. Reply follows inline: Paweł Starzyński <pawel.starzynski@tutanota.com> writes: > This situation has put me into deep concern- I don't want to constantly think about my PC. I want to perform regular updates and that's it. Am I obligued to follow web forums? > Not obliged, no, but I think the question is how worried one is (or is paid to worry) about zero-day vulnerabilities. The nature of these means that some will always be ahead of the fixes...there's a pretty broad spectrum of definitions of "enough" in "it's secure enough". Ultimately it's about finding a balance between obligations/peace of mind, reasonable risk, and justified effort. An air-gapped machine in a faraday cage might not be secure enough for some things. Assuming the use of Debian stable, opting into the use of -proposed-updates (which, once tested, become -security updates) reduces the latency of receiving the fixes. -proposed-updates does introduce regression potential, but that's technically true for any updates ;-) Beyond that, security is a process using many methods, and unfortunately security consciousness always costs time/energy (or money to pay someone). "Secure" is definitely a spectrum and not a binary state, in every case. More on this later! > Reddit users adviced me to follow Debian Security Tracker and subscribe to security-announce mailing list. Former lists vulnerabilities not only for chromium but also for linux kernel, firefox-esr etc.- I don't know where is the point when I shouldn't use certain package at all. Latter solution seems unimportant to me- messages inform about found vulnerabilities and advice to perform an update. For me it's enough to perform apt update && apt upgrade commands daily. > > Security-announce mailing list would have more sense to me if it contained warnings about not using certain package at all- warning on chromium wiki site is certainly insufficient. Then it should be highly recommended to subscribe to such a list immediately after install. > It sounds like you may be interested in "reducing the attack surface" by uninstalling software :-) > Another, maybe even better option- creating a newsletter- something like Ubuntu's Weekly Newsletter or Fedora Magazine. > Is the package "debsecan" something you'd be interested in using? Description: Debian Security Analyzer debsecan is a tool to generate a list of vulnerabilities which affect a particular Debian installation. debsecan runs on the host which is to be checked, and downloads vulnerability information over the Internet. It can send mail to interested parties when new vulnerabilities are discovered or when security updates become available. Debsecan saves time compared to digest-style emails about the whole archive, forums, and vulnerability trackers. If a piece of software that you use frequently appears in these emails, and if its vulnerabilities don't get fixed, then this could be used as an indicator for software that you might not want on your system. Alternatively, it may be a case where the Debian maintainers would appreciate receiving a bug report. If you're concerned that updates to the -security suite don't reach you fast enough, a moderate approach may be to enable pinning for -proposed-updates, then upgrade individual packages identified by debsecan. > Looking forward to hearing from you. > Regards, > Paweł Starzyński > I hope that helps! Regards, Nicholas
Attachment:
signature.asc
Description: PGP signature