Re: Known vulnerabilities left open in Debian?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings,
Am Montag, 22. März 2004 19:30 schrieb Sven Hoexter:
> On Mon, Mar 22, 2004 at 06:57:39PM +0100, Giacomo Mulas wrote:
> > There is a \begin{sarcasm} nice \end{sarcasm} article in
> > linuxworld Australia (see
> > http://www.linuxworld.com.au/index.php/id;1607539824;fp;2;fpid;1) which,
> > among other things, claims that "Debian (Debian GNU/Linux) has left
> > vulnerabilities there and didn't release any patches for them".
Imho this article is about 90% percent correct - 95% percent if you ignore the
marketing waste.
5% not, because the article put specific facts into general. The debian
distribution in whole is an easy target for hackers. The point is: If you
want to built a secure operating system you have to know exactly what you are
doing. What are the current vuln of the program I'm currently installing?
What do I have to do to work around them? Are there any known bugs? What does
the changelog say about these version? Have all fixes been backported to
debian?
The mozilla problem is one of the best examples what debian is into. If you
trust in the ability of the debian project to release a secure distribution
you are a fool!
But the point is: what's the alternative? If $big_fat_distributer is crippled
by its own release policy or profit making intention - they will _NEVER_ be
secure.
Debian might be more secure, if they recognise, that security gathered
importance.
btw. There was / is / won't be any absolutly secure operating system, covering
the needs of an ordinary modern server.
>
> Well a week ago or so we had a longer discussion here about open bugs left
> in the ancient mozilla version in woody.
discussion without conclusion I must admit - sadly.
It might be to necessary to file as many rc-bugs to the current packages
(mozilla, cron e.g.) as possibly. Thus debian-sarge might never be releases
(who want to release sarge with 1000-2000 sec. bugs - it might be worth the
effort).
It it's done that way, the leadership of the project will have to decide,
whether they want to ignore sec. aspects and release sarge by as many
laughter as neccessary or change the release policy or never release sarge.
Sadly - I don't have access to secret information (cve, etc.) which would be
needed to do so.
> That's the only example I know but that doesn't mean much.
Cron is another example - the be honest, the debian security team seems to be
crippled by the debian release policy.
Because of this policy debian stable is insecure by definition.
Regards
J.Luehr
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iQIVAwUBQF9FLNAHMQ8GQaYRAQKGGg//ROiiYIX/3ttelj+58StXXwwS0Kkpfps5
GK3eVIiG/BIjR/VNnH9gVYVU9pEL/ot/S/8t9Bd3V4Bv/rPKacfeNUuulRwRo8Su
Nh8gochz0KQl/FQbr853VGgbBcCg/CCEJPeqtYwpxHqEXgkfYA0xQcYkRdRKZ+nd
IKYacu2aqqF1cfFt4A9bhi67pR2byzJn8U8SN0iBL/lkGSlq5GjMuUwxDzqfqar8
ZeuCTFeTGiL9ftNJQV1YpnM3U/Ya3Wx64E3tYG2+HfKl1AvSmz2rmz8QpHQi2tPm
5oxTQ80yYDqJW4FSrPXt0cSVsYLZjGo0IZif64kBEb39K/tLlLkG+HrLdS+8uPuM
AwR83aBg3MNHbNtYo/nPF3OqWGbOzyUvtmESZlBsEesgeZNEFjt91qkk/GFNfOBA
uJhw63VvzPXZSvuKkRtsWS+nx2VEODYNoUmFER0ZOZQXc+mslTEBoiODbB3JgA8A
tlYt5egSXh0ULCGPqqgVvF60F4T+yFxp2yjyHmVdWm6gBTu8d2rTr5sUukkLqRwC
7MRc1uMdL/XM4I5+nUwhA2DhCywEPjmDt1UpHdk+hvzDO9ybp8IzvwMVw+yMV51G
HPOemUBwlgXxPE0fNJ5KgwUmmxUb6VUVddfLBCK0xCijksS9+T/L0o8SUt0Yi8yW
zfwAI+1dgcU=
=VFzq
-----END PGP SIGNATURE-----
Reply to: