Re: Food for thought - SECURITY (design flaw?)
-----BEGIN PGP SIGNED MESSAGE-----
On Monday 12 February 2001 14:02, Anthony Towns wrote:
> > On Mon, Feb 12, 2001 at 10:43:33AM -0200, Carlos Carvalho wrote:
> > Andreas Tille (email@example.com) wrote on 12 February 2001 11:32:
> > >IMHO people of security team shouldn't spend their time to serve
> > >security fixes for testing. People who want to use testing on
> > >security relevant machines should know what they do and should be
> > >able to handle those issues themselves. Those hazardeurs could try
> > >to fix important bugs of the package which is stick to unstable for
> > >whatever reason which would help the whole distribution or backport
> > >the stuff themself.
> > What's the purpose of testing exactly? If it's a preparation for
> > becoming stable it should obviously include the security fixes,
> > otherwise when the transition testing -> stable happens you're...
> It does include security fixes, it merely doesn't include them in as
> timely a manner as security.d.o provides for stable.
> This is fine for release purposes, but possibly not so fine for people
> actually running testing.
> (Note that security updates for unstable aren't necessarily timely either;
> there hasn't been an update for bind for m68k made available, eg. This
> mightn't bother you if you're running i386, but it can be a problem on
> other architectures. testing "suffers" from a least-commond-denominator
> sort of problem wrt this.)
> > If this issue isn't explained I'll just move to unstable and ignore
> > testing, because going back to stable is no option.
> If you're using stable, you can just point apt at security.d.o and not
> have to worry about anything much. You also get a single list to monitor
> for security issues. In principle.
> If you're using testing, you can watch out for security updates, and only
> have to worry about occassional problems and inconsistencies: you don't
> end up with perl broken, eg (at least so far :). You have to get some of
> these updates from unstable, or build them yourself, which is difficult
> (at least while apt 0.4 is unreleased).
> If you're using unstable, you don't get any assurances at all, but fixes
> generally come out fairly quickly.
Content-Type: application/pgp-signature; charset="us-ascii";
Dear fellow debianites,
IMHO our security people deserve a big round of cheers and applaus. Closed
source systems don't even come close to such security scrutiny.
"Stable" includes secure. What isn't secure shouldn't by definition be in
stable. But "errare humanum est".
My request would be to make security configuration as easy as updating with
apt and: "secure by default".
This message may contain confidential data intended only for the rightful
addressee. Should you receive it by error, please delete it at once and
inform the sender. We encourage the use of encrypted e-mail.
Please visit our web site: http://www.consult-meyers.com