Re: Debian 2.2 and security - SecurityPortal article
On Thu, Aug 31, 2000 at 12:37:46AM -0700, Joey Hess wrote:
>
> That is *not* why we backport security holes.
>
> Let's look at apache. A security hole is discovered in apache. Debian has a
> current version (1.3.9) in it already. The apache team releases 1.3.10, with
> a fix for the security hole. And 70 other, unrelated, changes.
>
> Now, is it safer to backport the fix to 1.3.9, or to just shove all those
> changes into frozen? You wanted us to release *when*?
>
> BTW, this is a real life example.
>
Don't think that I'm your anemy. I just know that many people don't know about
things more or less specific to Debian (like changelogs etc.) and don't have
time end energy to check packages and their changelogs and so on. They just see
things like "Debian has version 1.3.9 of apache and secure version is 1.3.10
and up so Debian isn't secure". As you can say it's also real life example.
Maybe they should be much more sceptic when thet write articles like this but
many people think like this without expressing it on paper or webpage.
I fully understand why Debian packages maintainers backport security fixes to
packagest in frozen instead of making new package versions. But, like we say in
Poland, every stick has two ends (sling has even 3 ;-) ).
>
> Debian publishes security advisories for a reason. Debian has a security
> website for a weason. Debian packages have changelogs for a reason. It's not
> as if this information is hard to find.
>
Yes but, as you see, for many "normal" users it's too much work to be done to
check everything. They just take fresh distribution and say "What? Fresh dist
with old packages, even such with security holes? What's going on?". Not so
many think like "It's Debian so it's 100% secure". I think it should be solved
in some way, but i don't know how :-(
--
__________________
Leszek Gerwatowski
BigL@tpi.pl
Reply to: