Update of security-critical outdated packages
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear all,
It is an issue that's been bugging me for some time, and while I have
tried to find good reasons, I have not, so I might as well write them
down. I have a lot of respect for the security team, and I don't think
I have anything to contribute other than my thoughts, but I'll try to
share them.
Many packages in stable are really outdated. After first installing
Woody, I first thought that looking at the prospect of waiting
one-and-a-half year for the next release would scare me away from
Debian. Now that I've grown up a bit more, it doesn't. I'm perfectly
fine with using backports for things like KDE. Also, if I was a
sysadmin for a lot of boxes, supporting many not-too-savvy users, the
release cycle is perfectly reasonable. For a stable system, pinning is
not option, because you'll quite soon have to update things like libc6
if you do. It's not about that. Backports are fine for most purposes,
and I'm fine with the release cycle.
It's about a small handful of security-critical packages, like for
example Snort. In the case of Snort, the security team has explicitly
discouraged people from using the packages available in Woody, see
DSA-297. I find it very hard to understand that in the cases where the
security team strongly advises an upgrade, that the backported packages
are not included in e.g. a point release.
One may argue that such an upgrade will break some poor sysadmin's
system, because he didn't expect an upgrade containing new features, or
where old features were perhaps deprecated. However, if he had a clue,
he wouldn't be using the packages to begin with. If it breaks his
system, it was time he got a wake-up call anyway. I can't see that this
is a valid argument.
One could also argue that if many backages had to be backported to the
old stable architecture, one would introduce instability because of the
lack of extensive testing. To this, there are two responses: First of
all, using outdated packages doesn't really give you much either, and
some instabiliy is perhaps better than a package that gives you a false
sense of security. Secondly, it is never going to be a lot of packages.
The packages I can think immediately this is important for are snort
and chkrootkit. It will probably be at most 1 in a 1000 packages that
this concerns.
Surely, things like SpamAssassin should be kept up-to-date, but it is a
different problem to address, and one that I currently feel is
adequately addressed by Norberts backports.org.
Finally, there is a good argument, I think it was Tom Allison who
forwarded it when I brought the issue up on debian-user, that if the
backports would depend on an upgrade of other packages, like libc6, the
system would soon be unstable. That's a very good point, but as far as
I can see, there are working backports of snort and chkrootkit to
Woody. In most cases, I would presume, you don't need to upgrade
dependencies. An upgrade of a package would then just influence that
package.
So, this is just about the very few packages the security team feels are
so outdated, one advice people not to use them. For those packages, the
question is: What is the advantage of keeping so outdated packages in
the archive?
This is somewhat relevant to the point Ryan just raised in his recent
post about "better apt security with 3rd-party sites", since having
outdated packages in the archive makes people use backports from
3rd-party sites, and you don't know the validity of these packages.
It seems to me to be a perfect way to trojan a newbie's machines: The
newbie hears on debian-user that he must update some of these packages:
So, there is a malicious cracker who put a site up with "official
updates", and the newbie adds it to his sources.list. Instantly, he
gets a version of Snort that ignores attacks and chkrootkit with a
rootkit... Even if you could use debsigs, a newbie probably couldn't
verify the package anyway, due to the lack of personal WOT. I think it
is a rather bad situation.
Again, I'm fine with backports for many packages, and I'm fine with the
general release cycle, it's just the small number of critical
security-related packages that I feel needs some discussion.
Best,
Kjetil
- --
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFABrIYlE/Gp2pqC7wRAs97AJ4kDjfjvYkEQOaMcXWUSR6gyW/MtQCfbE6w
qYhFpBeLyO8l8PgfOyF6+QU=
=rVlB
-----END PGP SIGNATURE-----
Reply to: