Re: Security EOL within Debian Stable

[Stephen Dowdy <sdowdy@ucar.edu>]

On Wed, Feb 4, 2015 at 6:49 PM, Michael Gilbert <mgilbert@debian.org> wrote:
> On Wed, Feb 4, 2015 at 8:09 PM, Stephen Dowdy wrote:
>> So, if a user installs said package, but fails to notice any EOL DSA
>> on it, the package gets left in place in a potentially VULNERABLE
>> state.  I.E. if a known exploit comes out, and the package is still
>> installed, the end-user could get a nasty surprise thinking that
>> because they've added security support to apt-sources and regularly
>> update, that they are protected.   This is a non-optimal and undesired
>> end-result.
>
> The debian-security-support package somewhat addresses those concerns
> [0], but it is not currently installed by default.  There was some
> discussion to make that happen, but hasn't been followed through.

Ah, that's useful to know, and that would be a a reasonable solution.

However, that package depends upon being current and having the ended&limited support db files updated

    $ check-support-status -V
     version 2014.09.07
    $ grep chromium /usr/share/debian-security-support/*  || echo "Chromium not listed"   
    Chromium not listed

It's been less than a week since 'chromium' support was EOL'd, so hopefully soon 'debian-security-support' will get that updated info.

To me, that's a satisfactory solution, again, depending upon it being maintained.   I'll ensure that our default FAI config includes that package from here out.
(additionally, a site administrator could, using those DBs manage package de-installation / deactivation or security-alert wrapper scriptage even automatically from it)

>> Note that chromium is in 'main' -- not 'contrib' or ..., so there's a
>> valid expectation that its security support won't just silently stop
>> -- unlike the other FAQ entry that says there's basically no security
>> support or contrib, non-free..
>
> I'm not sure where you get the "silently" concern from, but this topic
> is already discussed in wheezy's release notes [1].  The problem with
> that of course you'll point out is that users often don't read that...

By "silently", i mean that the package would continue to operate w/o warning that it's possibly vulnerable (sans any external info such as checking DSAs or having an updated 'debian-security-support' package and independently running it to identify the problem).   I've often injected shell-script wrappers around problematic packages to warn users via dialog/kdialog/simple-message that the package is vulnerable/problematical, etc -- until the problem's rectified.

Yeah, it's hard to read (and brain-store) multiple hundred page manuals for all the stuff a sysadmin is responsible for on a regular basis.  That's why i appealed to folks like you to set me straight ;)

> Best wishes,
> Mike
>
> [0] https://packages.qa.debian.org/d/debian-security-support.html
> [1] https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security

Thanks!
--stephen

-- 
Stephen Dowdy  -  Systems Administrator  -  NCAR/RAL
303.497.2869   -  sdowdy@ucar.edu        -  http://www.ral.ucar.edu/~sdowdy/