Re: Proposal for new Security subsection for non-US

To: debian-devel@lists.debian.org, debian-security@lists.debian.org
Cc: nickv@netexpress.net
Subject: Re: Proposal for new Security subsection for non-US
From: Pavel Minev Penev <kal_pav@sz.techno-link.com>
Date: Sun, 23 Jun 2002 00:46:27 +0300
Message-id: <[🔎] 20020623004627.A975@sz.techno-link.com>
Mail-followup-to: debian-devel@lists.debian.org, debian-security@lists.debian.org, nickv@netexpress.net
Reply-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20020622052111.GB28709@dodds.net>
References: <[🔎] 1024718148.32749.293.camel@zion> <[🔎] 20020622052111.GB28709@dodds.net>

On Sat, Jun 22, 2002 at 12:21:12AM -0500, Steve Langasek wrote:
> Hello Matthew,
> 
> I'm glad to see others thinking along the same lines.  However,
> precisely because of the nature of the issues surrounding such packages
> -- the need for frequent updates even when running stable, the fact that
> this data should *not* be shipped on CDs, the relatively small mirror
> requirements -- I believe such a repository for definition files could
> thrive outside of the main Debian archive network.  I'm also rather
> confident that, at least initially, it will be a lot *easier* to
> implement this outside of the main Debian archive network.  Debian is
> effective at a lot of things, but when you start talking about IDS
> updates, you really want something a little more flexible and a little
> less process-laden. ;)
> 
> On Sat, Jun 22, 2002 at 03:55:46PM +1200, Matthew Grant wrote:
> 
> > o Updating vulnerability databases does not work as generally the new
> > data on the 'Net is no longer compatible with the binaries in stable.
> 
> > o New versions have new detection algorithms, capabilities, and
> > methodologies that are needed to deal with current and serious threats.
> 
> I would hesitate to endorse providing Debian packages for such security
> software if the binaries themselves really need to be updated that
> frequently.  Where binaries can be provided and managed through the
> normal unstable->testing->stable system -- complete with security
> updates from our world-class security team -- I think having
> asynchronous updates to definiton files is a great boon; but where the
> programs have to be updated frequently to remain useful, I would argue
> that the software is simply not mature enough to receive the Debian seal
> of approval at all.
> 
> Thus, the responsibilities of the maintainers of such an archive would
> not be to backport the software to stable, but to backport the
> definition files to stable.

I would think of using xdelta, or similar to distrubute changes as
binary patches, since there could be a real server overload when a few
hundred administrators and mere people start downloading the brand new
deifinitions simultaneously. What about a public rsync? Maybe a usual
announce mailing list?

In my oppinion, a package created ten minutes ago can't go into stable.
Even if it is a simple virus/worm/blacklist/... definion. Bugs can crawl
anywhere. Therefore, I don't think the proposed type of packages can
ever be a part of stable. I guess it should be like: use unstable for
just those packages, and stable for all the rest.

-- 
Pav


-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Proposal for new Security subsection for non-US
  - From: Peter Cordes <peter@llama.nslug.ns.ca>

References:
- Proposal for new Security subsection for non-US
  - From: Matthew Grant <grantma@anathoth.gen.nz>
- Re: Proposal for new Security subsection for non-US
  - From: Steve Langasek <vorlon@netexpress.net>

Prev by Date: Re: Proposal for new Security subsection for non-US
Next by Date: Re: Proposal for new Security subsection for non-US
Previous by thread: Re: Proposal for new Security subsection for non-US
Next by thread: Re: Proposal for new Security subsection for non-US
Index(es):
- Date
- Thread