[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 195-1] New Apache-Perl packages fix several vulnerabilities

On Wed, Nov 13, 2002 at 03:22:20PM -0500, Raymond Wood wrote:
> On Thu, Nov 14, 2002 at 02:23:30AM +0700, Jean Christophe ANDR? remarked:
> > Raymond Wood ?crivait :
> > > Respectfully, does anyone know when Sid will receive patches
> > > for the previous Apache vulnerabilities that were fixed for
> > > Potato and Woody, but not Sid? It's been days... Raymond
> > Because Sid's aim is to allow you to test bugs... and enjoy
> > viruses! <g> ;-)
> That was not my question - read again if you must.

Your question is when it was to receive updates.  His answer is that
it is not supported.  If you want a secure system, use 'stable'.
That's policy.  If you don't like it, DO something about it.  Also,
please maintain a civil tone on this list.

> I am fully aware of the Security team's 'official policy'
> regarding Sid and security updates.  I also think I, and
> probably others, are getting weary of these same old tired
> responses that quote policy, but do very little to help.

Then DO something about it.  If you want Sid to be updated for all of
the vulnerabilities found, volunteer to help the security team, or
maybe download the source package from the security.debian.org server
and build it.

> The relevant DSA in question itself stated something to the
> effect 'a fix for Sid will appear soon'.  At this point I am
> wondering how soon or how late:  I mean are we talking about
> days or weeks at this point?  It makes no sense to leave Sid
> vulnerable for any longer than necessary, for the fact is there
> *are* desktop user's who do use Sid, because it is cutting edge.
> Are these people just to wait like sitting ducks until their
> systems are compromised?  This would make no sense to me.

Then they should realize that using Sid has NO guarantee for security.
Sid is for finding problems with packages interacting, finding grave
bugs, and making sure software is ready for testing.  The only branch
that has any guarantee of security is stable.  This is by no means
unique to Debian.  I don't know many people who run production FreeBSD
machines (be they desktop or servers) with ANY expectation of security
with the FreeBSD-CURRENT branch.

Edward Guldemond

GPG Key: 0x4E505B0F
Key fingerprint:  4CAC 6740 C1CD 3CE4 6CA0
                  34E9 B3B7 18EC 4E50 5B0F

Attachment: pgpT4KCFrH0gF.pgp
Description: PGP signature

Reply to: