Re: Should we be alarmed at our state of security support?

To: debian-security@lists.debian.org
Subject: Re: Should we be alarmed at our state of security support?
From: John Goerzen <jgoerzen@complete.org>
Date: Thu, 19 Feb 2015 10:40:20 -0600
Message-id: <[🔎] 54E611F4.3060609@complete.org>
In-reply-to: <[🔎] a6179694-b841-11e4-8442-00163eeb5320@msgid.mathom.us>
References: <[🔎] 54E49DA6.7050306@complete.org> <[🔎] CANTw=MOTHu8uHQcW75aGy110Sxm8c5JJpezNbeSuGSmYtQUrPw@mail.gmail.com> <[🔎] 54E5E539.2010906@complete.org> <[🔎] a6179694-b841-11e4-8442-00163eeb5320@msgid.mathom.us>

On 02/19/2015 08:24 AM, Michael Stone wrote:
> On Thu, Feb 19, 2015 at 07:29:29AM -0600, John Goerzen wrote:
>> However, part of what I was trying to figure out here is: do we have a
>> lot of unpatched vulnerabilities in our archive?
>
> Yes. Every system (not just debian) has unpatched vulnerabilities. In
> some cases those vulnerabilities are known, and in some cases those
> vulnerabilities are unknown. Fixing all of the vulnerabilities in
> general purpose software is effectively impossible. So the real
> question is, are there unfixed vulnerabilities worth fixing? The
> answer to that depends on the level of risk one is willing to take,
> and may include patching only vulnerabilities that are likely to be
> exploited, applying all potentially security-related patches, or
> intensively auditing the code and trying to fix all vulnerabilities.
> The question is made more difficult by the fact that applying patches
> can introduce new vulnerabilities--so fixing all low-risk
> vulnerabilities could potentially make things worse rather than better.
So, let's put aside the vulnerabilities that are unknown for the
purposes of this discussion.

Right now, the security tracker has, apparently, three status for each
version of Debian:

not vulnerable
vulnerable
fixed

What if we add a fourth:

not worth fixing

This could more clearly communicate what is being said by the "no DSA"
comments, as well as allow debsecan to be improved with this sort of
information.  What do you think?

>
> There are no good answers, and the better answers all require a great
> deal of effort. Debian may be able to do a better job of communicating
> why certain bugs are prioritized over others, but what really should
> matter to you is whether the assumptions used to prioritize each bug
> are valid for your particular environment. (That is, you need to
> review each bug at length.) For most people that level of effort isn't
> justified, and they are content to accept whatever is prioritized by
> their vendor. If there are specific cases where you think that the
> debian made the wrong call, it's reasonable to bring those up for
> discussion--people do make mistakes. But do understand that we will
> never get to zero bugs.

Understood.  I am just looking, then, for the security-tracker to
reflect this reality in a way that can be automatically understood by
tools like debsecan and more clearly communicated to users.

John

>
> Mike Stone
>
>

Reply to:

Follow-Ups:
- Re: Should we be alarmed at our state of security support?
  - From: Paul Wise <pabs@debian.org>

References:
- Should we be alarmed at our state of security support?
  - From: John Goerzen <jgoerzen@complete.org>
- Re: Should we be alarmed at our state of security support?
  - From: Michael Gilbert <mgilbert@debian.org>
- Re: Should we be alarmed at our state of security support?
  - From: John Goerzen <jgoerzen@complete.org>
- Re: Should we be alarmed at our state of security support?
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: Should we be alarmed at our state of security support?
Next by Date: Re: Should we be alarmed at our state of security support?
Previous by thread: Re: Should we be alarmed at our state of security support?
Next by thread: Re: Should we be alarmed at our state of security support?
Index(es):
- Date
- Thread