Re: secure installation

To: debian-security@lists.debian.org
Subject: Re: secure installation
From: Johannes Wiedersich <johannes@physik.blm.tu-muenchen.de>
Date: Tue, 21 Aug 2007 09:00:47 +0200
Message-id: <[🔎] 46CA8D9F.9050107@physik.blm.tu-muenchen.de>
In-reply-to: <[🔎] 20070820183833.GD25120@javifsp.no-ip.org>
References: <[🔎] 2e4e9dbd0708151223q2f88f8e1m7689fb2912ca16fd@mail.gmail.com> <[🔎] 46C3726B.8040508@st-andrews.ac.uk> <[🔎] 2e4e9dbd0708152047kbd810f7o41f2f31e481d07e1@mail.gmail.com> <[🔎] fe374f8d0708160338u3bc87335q6e7c042a54466d84@mail.gmail.com> <[🔎] 2e4e9dbd0708161052w47d46478w76ec22e1beadc7b6@mail.gmail.com> <[🔎] 46C555F2.4020800@physik.blm.tu-muenchen.de> <[🔎] 20070820183833.GD25120@javifsp.no-ip.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Javier Fernández-Sanguino Peña wrote:
> On Fri, Aug 17, 2007 at 10:01:54AM +0200, Johannes Wiedersich wrote:
>> PS 2: While we are at it: debian by default also does not install or
>> enable an automated system to install security updates. It is the
>> responsibility of the user to decide whether and when security updates
>> are installed.
> 
> Not exactly true. If you are installing a Debian system with a network
> connection the installation system will add security.debian.org automatically
> to your sources lists and update the packages you were going to install from
> CD/DVD from that source. Automatically, unless the user goes into a
> 'power-user' configuration or the system is not connected to the network.

Not exactly true. Debian adds security repositories to apt's sources,
that's true. But it does _not_ automatically install them on your
system. It was my point that debian does not by default provide an
automated system to _install_ security updates.

> Also, a Debian etch install of the Desktop environment (or just the GNOME
> environment) brings you 'update-manager' which *is* a system to install
> security updates if the box has been configured with a proper security source
> (which happens out of the box for most network-connected installations).
> In this case security updates are not, however, forced on you. You just get a
> gently reminder that they are available.

So even automatic _reminders_ to install security updates are only
enabled, if the user either installs gnome (I use kde) or specifically
knows of and installs the appropriate tool. I have not tried
exhaustively, but update-manager does not appear to work 'automatically'
with kde, at least not for myself. It only works, if I start it manually
and that's even less convenient than a simple 'aptitude update; aptitude
upgrade'.

Note that I am not saying that I miss this 'automatic security'.
Conversely, my point was that the user should be educated to know and
care about security and should not be educated to trust any 'automatic
security'.

Johannes

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGyo2fC1NzPRl9qEURAkqFAJ45dIcd+u5NpkzG6fGj+OCDAVlXmACfUGtK
WZahMAPAIIUWLWW8Ch4GfYU=
=L8Qx
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: secure installation
  - From: paddy@panici.net
- Re: secure installation
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- secure installation
  - From: Pat <paparsoss@gmail.com>
- Re: secure installation
  - From: Ian McDonald <iam@st-andrews.ac.uk>
- Re: secure installation
  - From: Pat <paparsoss@gmail.com>
- Re: secure installation
  - From: "John Keimel" <john@keimel.com>
- Re: secure installation
  - From: Pat <paparsoss@gmail.com>
- Re: secure installation
  - From: Johannes Wiedersich <johannes@physik.blm.tu-muenchen.de>
- Re: secure installation
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: strange requests from Vanguard Securities: 53,137,138
Next by Date: Re: secure installation
Previous by thread: Re: secure installation
Next by thread: Re: secure installation
Index(es):
- Date
- Thread