On Thu, 31 Aug 2000, Leszek Gerwatowski wrote: > things like "Debian has version 1.3.9 of apache and secure version is 1.3.10 > and up so Debian isn't secure". As you can say it's also real life example. > Maybe they should be much more sceptic when thet write articles like this but > many people think like this without expressing it on paper or webpage. And we should care about this? why? The most we could do for them is to have a "please remember that Debian backports security fixes" written in the debian security page (which might be a good idea come to think of it, as it's properly heavy ammo to shot at the head of people who can't read changelogs), but IMHO a lot of users would never get that far (one hyperlink away from Debian's front page) to read it... Debian is _not_ supposed to babysit anyone. If they don't know enough to do it properly, it's their loss AND their fault, as long as it's not our doing that they couldn't find the information they needed, of course. We are not supposed to make stuff difficult on purpose, and I think it's a laudable goal to make the distro easier to use and install for everyone, but everything has a limit. Destroying frozen/stable's stability, or making a (worse ;-) ) mess of the version numbering is way beyond it. > I fully understand why Debian packages maintainers backport security fixes to > packagest in frozen instead of making new package versions. But, like we say in > Poland, every stick has two ends (sling has even 3 ;-) ). Yes, we just have to make sure we will continue to hold the stick by the right end... which is exactly what we're doing right now, mind you ;-) > > website for a weason. Debian packages have changelogs for a reason. It's not > > as if this information is hard to find. > > Yes but, as you see, for many "normal" users it's too much work to be done to > check everything. They just take fresh distribution and say "What? Fresh dist I'd argue that these users are a lot of trouble we don't need to concern us overly with most of the time. Leave that to Corel and other people who are paid to spend a lot of their time babysitting them. BTW, I know quite a few people that are very dear to me AND who would qualify perfectly as one of your "normal" users, and I know very well the amount of work it takes to keep them going and why I do it :-) (Disclaimer: the above paragraph is only valid until someone gets into Debian's policy that our goal is to take over the world) > with old packages, even such with security holes? What's going on?". Not so > many think like "It's Debian so it's 100% secure". I think it should be solved > in some way, but i don't know how :-( The right way, which benefits the world as a whole, is to get these people to move their behinds and learn to READ docs/look for their own answers before they even think of disturbing anyone else in their lazyness. It's perfectly alright to ask for help if you can't do something, but not because you didn't even try! BTW, Debian is not 100% secure (this is not possible), and you should NEVER trust that far on security: we _need_ the peer review of people who don't trust the job to have been done right. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh
Attachment:
pgpwalFIvmskL.pgp
Description: PGP signature