Re: Gaps in security coverage?
On 06/11/2018 02:34, Paul Wise wrote:
On Mon, Nov 5, 2018 at 10:29 PM John Goerzen wrote:
So I recently started running debsecan on one of my boxes. It's a
fairly barebones server install, uses unattended-upgrades and is fully
up-to-date. I expected a clean bill of health, but didn't get that. I
got pages and pages and pages of output. Some of it (especially kernel
related) I believe may be false positives, but not all. Some of it
simply isn't patched yet.
That has been the normal state of things since I started running
debsecan many many years ago.
I'm not a security expert, but:
* security bugs are found daily
* security bugs are found also by people that don't work on the project
and upstream can consider these bugs in different way: lower security
bug; no security bug; no bug at all; ...
* a software without security bugs (or fewer) is not intricately more
secure than one with a lot of security bugs... the first one can be not
checked for security bugs...
* a security bug of a software that you are using can also not impact
you, that depend on how you use that software and the system/network on
which it is installed