Re: Update of security-critical outdated packages
On Thursday 15 January 2004 17:33, Rich Puhek wrote:
> Depending on what you're doing, pinning actually can work quite well.
Yup, and I do it on my workstation (not that I understand it, it is
rather magic to me).
> Snort is related to you overall system security, yes, but new
> releases of Snort have to do with your desire to run the latest and
> greatest releast of a package, not with security issues.
Well, that's not how I read DSA-297. I have no desire to run the latest
and greatest release of a package on my production server, to the
contrary, with the notable exception of SpamAssassin. I would argue
that it is only because of security issues I would ever consider
upgrading a package on a production server (and mine isn't even in
production yet! :-) ).
> it may use snort just because it's handy for
> detecting strange patters which could indicate other network
> problems, etc. It could even have some locally-grown programs that
> use some snort tools.
OK, valid argument, still, wouldn't it be rather rare compared to
actually using it for what it is intended for?
> True, but security issues aren't forcing people to use backports. If
> they are, they don't understand how Debian handles security.
Again, that's not how I read DSA-297.
> It's kind of off the topic, but if you're concerned about tools like
> snort, et. al., you should be at the experience level where verifying
> signatures of untrusted packages,
It has nothing to do with experience. Sometimes, you just don't have the
WOT needed to verify a package. Most probably, only those who have at
some point attended a Debian keysigning party have a WOT suitable for
that, and perhaps people who live in an area with many Debian users. In
sparsely populated areas like Norway, a good WOT is a real luxury, and
one of past year's most luxurious evenings was the Debian keysigning
party... :-)
>upgrading to testing|unstable,
You don't want to do that on a production system.
> doing apt-get source, or simply building from a tarball are viable
> options for you.
Yep, but it is still besides the point: Really good reason for keeping
outdated packages in the archive (ok, you provided one above)?
> > Again, I'm fine with backports for many packages, and I'm fine with
> > the general release cycle, it's just the small number of critical
> > security-related packages that I feel needs some discussion.
>
> What's the difference if someone downloads a backport of snort or a
> backport of a window manager?
Big difference: If the WM is a bit unstable, or it has a bit weird
performance at times, I don't care. It's the cost of running unstable
software. But if the NIDS fails to recognize an attack that's been
known for two years, it is pretty serious.
> Either way, if the backport is evil, you're screwed.
Yup, but that was a side-note.
> IMHO, it's been discussed to death already. Whether you want a brand
> new version of snort or a new version of KDE is irrelevant to the
> discussion of upgrades, the same issues still apply.
Well, it may be that it has been discussed to death. I'm rather new
here. But I respectfully disagree that the type of package is
irrelevant to the discussion.
Basically, I just like to hear your thoughts, because I really haven't
found any good answers.
Best,
Kjetil
--
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
Reply to: