[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secure installation

On Tue, Aug 21, 2007 at 09:00:47AM +0200, Johannes Wiedersich wrote:
> Not exactly true. Debian adds security repositories to apt's sources,
> that's true. But it does _not_ automatically install them on your
> system. It was my point that debian does not by default provide an
> automated system to _install_ security updates.

Yes, a Debian default install *does* install security updates.

Please read  "Selecting and Installing Software"
http://d-i.alioth.debian.org/manual/en.i386/ch06s03.html#di-system-setup This
step takes place after apt is configured to add external sources and,
as the manual says, "Even when packages are included on the CD-ROM, the
installer may still retrieve them from the mirror if the version available on
the mirror is more recent than the one included on the CD-ROM."

This is not even specific for etch, it has been true for some releases

> So even automatic _reminders_ to install security updates are only
> enabled, if the user either installs gnome (I use kde) or specifically
> knows of and installs the appropriate tool. I have not tried
> exhaustively, but update-manager does not appear to work 'automatically'
> with kde, at least not for myself. It only works, if I start it manually
> and that's even less convenient than a simple 'aptitude update; aptitude
> upgrade'.

GNOME is the *standard* desktop environment in Debian. A default Debian
installations installs both KDE and GNOME but gdm is the default window
manager and when users login they get into a GNOME Desktop by default. So
your "if the user either installs gnome..." conditional is moot.

> Note that I am not saying that I miss this 'automatic security'.
> Conversely, my point was that the user should be educated to know and
> care about security and should not be educated to trust any 'automatic
> security'.

Educating users also involves raising awareness that they *have* to keep
their system up-to-date with security patches both to prevent local and
remote exploits. The fact that KDE (or Xfce) does not have an equivalent to
the update-manager is IMHO, worrisome, as users of that Desktop environment
might not be as aware of this need as users of GNOME.

Update-manager makes a good job at highlighting security updates and
explaining why are they needed. Even if it does not force users to install



Attachment: signature.asc
Description: Digital signature

Reply to: