[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should we be alarmed at our state of security support?

On Thu, February 19, 2015 14:29, John Goerzen wrote:
> But how else is someone going to learn that when security-tracker says
> "vulnerable", in hundreds of instances, that may be wrong, other than by
> asking?  I didn't find this documented anywhere.

I think where your misunderstanding originates is that "vulnerable" is not
the black-and-white concept you seem to assume it to be. You actually need
to read the issue to understand what "vulnerable" means in the very
specific context of that issue.

See the security tracker as a bug tracker. Debian has thousands of open
bugs in the BTS but is still not a broken system. This is because not
every bug renders Debian unusable; similarly far from every unpatched CVE
makes your Debian system insecure. That's why there's already nuances in
there like "no-dsa".

Also you should realise that the security tracker is primarily a tool
aimed at people working on security in Debian. It would be nice if it
would be more suited for end user consumption as well so it confuses a
regular user less over what "vulnerable" can and cannot mean, and steps
have been made in that direction. Contributions to improve on to how we
display issues that would come closer to this goal without harming the
security team's work are most certainly welcome.

Nonetheless, there's quite some challenges in this that you'd need to
tackle. For one, a desktop system A has a completely different threat
model than server system B, than server system C, and than server system
D. I'm really not sure how we could ever represent that nuance; in the end
you'd still need to read the issue and judge how it affects your very
specific setup. But your ideas for improvement are certainly welcome.


Reply to: