[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Concerns about Security of packages in Debain OS and the Operating system itself.

Hi Paul,

On 25/05/2022 02:10, Paul Wise wrote:


bullseye-updates: receives occasional time-sensitive and important
updates, such as updates to the timezone database, which often happen
just days before the timezone changes, or fixes for packages that get
completely broken by some external services on the Internet, or fixes
for packages that were initially broken but that wasn't found.


All what you described here is not important for OP who wants to reduce
his attack surface from malicious developer attack scenario.
And I argue, not important for typical security conscious home user either.


There
are only three updates in it currently, two of them are updates to the
timezone database and one is clamav, which sometimes needs updates so
it can continue to pull in antivirus detections.


All of them will land in "bullseye" repository on point release. Correct?

My system will learn timezone changes in (for example) Barbados,
Seychelles or elsewhere when time comes for point release. I don't need
it now, I don't live there.
Same goes when user does not use ClamAV: No need for antivirus definitions.
And when very rare occasion will occur that software in Stable will
suddenly broke due to server side updates of some software, user can
always stop, think and investigate. No need to keep bullseye-updates
enabled 24/7/365 and never use it (if we exclude timezone updates,
antivirus definitions, there is nothing really urging users to enable
this repository). This would be widening exposure surface without any
real benefit.
Situation like this happened recently, Telegram has cut-off old client
versions on server side, Telegram bullseye stopped working. Soon after
maintainer dropped new Telegram to bullseye-backports, so people could
upgrade in controlled fashion. Please notice that having
bullseye-updates would not help in this example.



https://deb.debian.org/debian/dists/bullseye-updates/main/source/Sources.xz

bullseye-proposed-updates: the contents of the next point release;
some changes come from bullseye-security, some from bullseye-updates
and some from package maintainers.


That's Stable's "beta testing" for sure. I didn't mentioned that to the
OP, I don't use it myself.


https://release.debian.org/proposed-updates/stable.html




--
With kindest regards, Piotr.

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
⠈⠳⣄⠀⠀⠀⠀
Reply to: