Re: samba woody
On Tue, Jul 01, 2003 at 12:47:36PM +0200, Boldizsar BENCSATH wrote:
> What about something like this 5-minutes-change?:
>
> Template: samba/security_warning
> Type: boolean
> Default: false
> Description: Warning! Serious Warning!
> This version of samba contains remotely exploitable SERIOUS
> vulnerabilities!
> If you continue the install You will be definetly target of CRACKING
> activity!
> DO NOT INSTALL THIS VERSION OF SAMBA UNLESS YOU KNOW WHAT YOU ARE DOING!
> If You don't know why are you going to install this version, you should
> check
> your debian version and security fixes lists (e.g. /etc/apt/sources.list)
> and
> Debian Security announcements! Do not use testing release if You cannot
> afford
> to keep up with the latest news!!!
> Are You really-really want to install this vulnerable version of samba?
>
> and some db_get samba/security_warning in preinst script...
I would rather see the bugs fixed. They already have been; it's just that a
few showstopper bugs need to be fixed before the new version goes in.
> I know Your reasons not to include a bad version, but some reasons from
> the practical side:
>
> -Many users do not read security mailing lists
They have already lost if they do not AT LEAST subscribe to the notification
lists that we provide.
> -Many users have some reasons to use unstable/testing distribution (e.g.
> libc6 compatibility issues with some not-debian-software)
Then they should upgrade selective packages and monitor those packages for
(e.g.) security problems. This is no reason to upgrade the entire system
(for example, samba).
> -They also need to be secure
They need to work at this. It is not automatic.
> -Or at least, we should push some warning for them
We prominently declare on the web site that unreleased packages may have
security problems and other bad bugs.
> -Or at least, we should maintain some "extra" security effort to the
> following packages:
> exim,sendmail,apache,php,mysql,samba,ftpd,proftpd,pop3's. These are the
> main packages and if they have a _remotely_ exploitable security hole,
> then it is a bad policy to leave these packages in -even the unstable-
> distro.
If you know of any such bugs, report them if they are not reported already,
and (if you can) fix them by providing patches.
This is an old argument and I do not wish to go over it again.
--
- mdz
Reply to: