Re: DSA 438 - bad server time, bad kernel version or information delayed?
Matt Zimmerman <mdz@debian.org> writes:
> On Thu, Feb 19, 2004 at 02:30:54PM +0100, Florian Weimer wrote:
>
>> Bernd S. Brentrup wrote:
>>
>> > On Wed, Feb 18, 2004 at 04:44:15PM -0500, Michael Stone wrote:
>> > > On Wed, Feb 18, 2004 at 09:17:13PM +0100, Florian Weimer wrote:
>> > > >Yes, this is the norm. Debian hides security bugs from its users for
>> > > >extended periods of time.
>> > >
>> > > begone, troll
>> >
>> > Casting a spell on him won't work either :-), he'll raise his head again
>> > next time this issue comes up.
>> >
>> > Obviously he isn't capable of accepting defeat.
>>
>> Debian isn't very transparent about this issue (which I consider very
>> important), so I'm willing to help out. If read my other messages in
>> this thread, you'll see that I'm trying to paint a more balanced picture
>> (which is still rather bleak, but that's not my fault).
>
> I don't consider the situation to be especially bleak, considering that the
> alternatives are completely unworkable. I assume this is why you haven't
> included any in your criticism.
Is it entirely impossible to have two security teams, or split the
current security team into two parts? One part that patches Debian
packages as soon as technically possible, and one part that follows
various CERT timing requirements? I can't see how CERT would
reasonable object to that model, as long as no information flow from
the CERT team to the non-CERT team, and it would allow the Debian
users to have access to fixes as soon as possible.
I'm assuming that Debian users have suffered from delayed updates of
packages, with semi-widely published exploits, because the updated
Debian package is waiting for the green light from CERT. I'm not sure
if this happen frequent, but it appears as if it might occur, which is
reason enough to consider solutions to that problem.
Thanks.
Reply to: