Handling of "malware" in Debian

To: debian-security@lists.debian.org
Subject: Handling of "malware" in Debian
From: "W. Martin Borgert" <debacle@debian.org>
Date: Wed, 09 Nov 2016 15:54:37 +0100
Message-id: <[🔎] 20161109155437.Horde.eprjmDJR0QzO7xRXJwsDHD4@webmail.in-berlin.de>

Hi,

because of the WOT[*] incident, I wonder how Debian should handle
malware packages in favour of our users.

The current scheme is to remove the offending package from stable and
go along. With unattended-upgrades or other automatic upgrade schemes,
such packages would remain on many systems and potentially harm users.

I suggest to handle such cases differently by uploading a new, empty
package (like transitional packages, but without new depends).

What do you think?

Cheers

[*] https://bugs.debian.org/842939

Reply to:

Follow-Ups:
- Re: Handling of "malware" in Debian
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: vulnerability in 8.6
Next by Date: Re: Handling of "malware" in Debian
Previous by thread: Re: vulnerability in 8.6
Next by thread: Re: Handling of "malware" in Debian
Index(es):
- Date
- Thread