Re: [SECURITY] [DSA 3547-1] imagemagick security update

To: debian-security@lists.debian.org
Subject: Re: [SECURITY] [DSA 3547-1] imagemagick security update
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Wed, 13 Apr 2016 09:57:06 -0300
Message-id: <[🔎] 1460552226.3673656.577509113.28B7F462@webmail.messagingengine.com>
In-reply-to: <[🔎] 20160413053226.GV26457@sarek.noreply.org>
References: <[🔎] 2095627.V5bhYdRjE7@box> <[🔎] 570D0957.9030400@iinet.net.au> <[🔎] 492b72a4f9f047e86c833cdfe1cc9f1d@mail.adam-barratt.org.uk> <[🔎] 2b2dffb144ef90ca9581ba678442f970@mail.adam-barratt.org.uk> <[🔎] 1460482213.3411255.576644529.194FD780@webmail.messagingengine.com> <[🔎] 20160412173222.GH26457@sarek.noreply.org> <[🔎] 1460488760.3438213.576707145.5A43E989@webmail.messagingengine.com> <[🔎] 20160412194753.GI26457@sarek.noreply.org> <[🔎] 1460505395.559501.576980273.2893CE80@webmail.messagingengine.com> <[🔎] 10e4033e-011d-11e6-9b6a-00163eeb5320@msgid.mathom.us> <[🔎] 20160413053226.GV26457@sarek.noreply.org>

On Wed, Apr 13, 2016, at 02:32, Peter Palfrader wrote:
> On Tue, 12 Apr 2016, Michael Stone wrote:
> 
> > On Tue, Apr 12, 2016 at 08:56:35PM -0300, Henrique de Moraes Holschuh wrote:
> > >Then, maybe we should consider a better way to deal with areas where you
> > >get only one choice out of geoip?
> > 
> > Reach out to the relevant team outlining your issues (e.g., lack of IPv6
> > connectivity)? Advising people to hard code security mirrors isn't the right
> > solution.
> 
> There's also nothing inherently wrong with just having a single address
> in an RRSet.

It means a single point of failure for that region: e.g. if the mirror
is stale, everything in that region will hit the same stale mirror, be
them users using apt, or "unrecommended" leaf mirrors of
debian-security.  This makes it harder for an user to work around the
breakage (they would need to use an unofficial security mirror from a
different region as the backup source for security updates).

Well, it is not a common issue, and it will be even less common if
someone manages to implement the staleness check.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique de Moraes Holschuh <hmh@debian.org>

Reply to:

Follow-Ups:
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Peter Palfrader <weasel@debian.org>

References:
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Luciano Bello <luciano@debian.org>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Bjoern Nyjorden <brn@iinet.net.au>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Peter Palfrader <weasel@debian.org>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Peter Palfrader <weasel@debian.org>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Michael Stone <mstone@debian.org>
- Re: [SECURITY] [DSA 3547-1] imagemagick security update
  - From: Peter Palfrader <weasel@debian.org>

Prev by Date: Re: [SECURITY] [DSA 3547-1] imagemagick security update
Next by Date: Re: [SECURITY] [DSA 3547-1] imagemagick security update
Previous by thread: Re: [SECURITY] [DSA 3547-1] imagemagick security update
Next by thread: Re: [SECURITY] [DSA 3547-1] imagemagick security update
Index(es):
- Date
- Thread