Re: Security EOL within Debian Stable

[Michael Gilbert <mgilbert@debian.org>]

On Wed, Feb 4, 2015 at 8:09 PM, Stephen Dowdy wrote:
> So, if a user installs said package, but fails to notice any EOL DSA
> on it, the package gets left in place in a potentially VULNERABLE
> state.  I.E. if a known exploit comes out, and the package is still
> installed, the end-user could get a nasty surprise thinking that
> because they've added security support to apt-sources and regularly
> update, that they are protected.   This is a non-optimal and undesired
> end-result.

The debian-security-support package somewhat addresses those concerns
[0], but it is not currently installed by default.  There was some
discussion to make that happen, but hasn't been followed through.

> Note that chromium is in 'main' -- not 'contrib' or ..., so there's a
> valid expectation that its security support won't just silently stop
> -- unlike the other FAQ entry that says there's basically no security
> support or contrib, non-free..

I'm not sure where you get the "silently" concern from, but this topic
is already discussed in wheezy's release notes [1].  The problem with
that of course you'll point out is that users often don't read that...

Best wishes,
Mike

[0] https://packages.qa.debian.org/d/debian-security-support.html
[1] https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security