Re: samba woody

To: debian-security@lists.debian.org
Subject: Re: samba woody
From: Matt Zimmerman <mdz@debian.org>
Date: Tue, 1 Jul 2003 09:35:45 -0400
Message-id: <[🔎] 20030701133545.GK1090@alcor.net>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] Pine.LNX.4.44.0307011239280.18219-100000@datacontact.hu>
References: <[🔎] 20030701024342.GF1090@alcor.net> <[🔎] Pine.LNX.4.44.0307011239280.18219-100000@datacontact.hu>

On Tue, Jul 01, 2003 at 12:47:36PM +0200, Boldizsar BENCSATH wrote:

> What about something like this 5-minutes-change?:
> 
> Template: samba/security_warning
> Type: boolean
> Default: false
> Description: Warning! Serious Warning!
>  This version of samba contains remotely exploitable SERIOUS
> vulnerabilities!
>  If you continue the install You will be definetly target of CRACKING
> activity!
>  DO NOT INSTALL THIS VERSION OF SAMBA UNLESS YOU KNOW WHAT YOU ARE DOING!
>  If You don't know why are you going to install this version, you should
> check
>  your debian version and security fixes lists (e.g. /etc/apt/sources.list)
> and
>  Debian Security announcements! Do not use testing release if You cannot
> afford
>  to keep up with the latest news!!!
>  Are You really-really want to install this vulnerable version of samba?
> 
> and some db_get samba/security_warning  in preinst script...

I would rather see the bugs fixed.  They already have been; it's just that a
few showstopper bugs need to be fixed before the new version goes in.

> I know Your reasons not to include a bad version, but some reasons from
> the practical side:
> 
> -Many users do not read security mailing lists

They have already lost if they do not AT LEAST subscribe to the notification
lists that we provide.

> -Many users have some reasons to use unstable/testing distribution (e.g.
> libc6 compatibility issues with some not-debian-software)

Then they should upgrade selective packages and monitor those packages for
(e.g.) security problems.  This is no reason to upgrade the entire system
(for example, samba).

> -They also need to be secure

They need to work at this.  It is not automatic.

> -Or at least, we should push some warning for them

We prominently declare on the web site that unreleased packages may have
security problems and other bad bugs.

> -Or at least, we should maintain some "extra" security effort to the
> following packages:
> exim,sendmail,apache,php,mysql,samba,ftpd,proftpd,pop3's. These are the
> main packages and if they have a _remotely_ exploitable security hole,
> then it is a bad policy to leave these packages in -even the unstable-
> distro.

If you know of any such bugs, report them if they are not reported already,
and (if you can) fix them by providing patches.

This is an old argument and I do not wish to go over it again.

-- 
 - mdz

Reply to:

References:
- Re: samba woody
  - From: Matt Zimmerman <mdz@debian.org>
- Re: samba woody
  - From: Boldizsar BENCSATH <bencsath@datacontact.hu>

Prev by Date: Re: OT: An Idea for an IDS
Next by Date: Strongest linux
Previous by thread: Re: samba woody
Next by thread: Re: samba woody
Index(es):
- Date
- Thread