Re: root compromise on debian woody

To: debian-user@lists.debian.org
Subject: Re: root compromise on debian woody
From: Sean Davis <dive-debian@endersgame.net>
Date: Fri, 27 May 2005 07:00:56 -0400
Message-id: <[🔎] 20050527110056.GA18563@endersgame.net>
In-reply-to: <[🔎] Pine.LNX.3.96.1050526195018.10572A-100000@Maggie.Linux-Consulting.com>
References: <[🔎] 20050527022739.GG16064@miami.familiasanchez.net> <[🔎] Pine.LNX.3.96.1050526195018.10572A-100000@Maggie.Linux-Consulting.com>

On Thu, May 26, 2005 at 07:55:50PM -0700, Alvin Oga wrote:
> 
> On Thu, 26 May 2005, Roberto C. Sanchez wrote:
> 
> > On Thu, May 26, 2005 at 06:41:18PM -0700, Alvin Oga wrote:
> > > 
> > > > > CAN-2005-1263 [Linux kernel ELF core dump privilege escalation]
> > > > >         - kernel-source-2.6.11 2.6.11 2.6.11-4
> > > > >         - kernel-source-2.6.8 2.6.8-16
> > > > >         - kernel-source-2.4.27 2.4.27-10
> > > 
> > > always use the latest kernel ... from kernel.org ...
> > > 
> > > and similarly with other important binaries from their
> > > respective originating site
> > > 	mta, apache, kernel, glib, make/gcc, bash, endless list
> > > 
> > 
> > Sorry, but that is horrible advice.  For every app you get directly from
> > upstream, you become directly responsible for supporting security
> > issues.  I understand that even if you use the Debian packages, you are
> > still ultimately responsible.  Not only that, but the Debian Security
> > Team does an excellent job given the resources and situation.  Woody has
> > versions of software that were no longer support upstream when Woody
> > shipped.  That makes security support really difficult, but that doesn't
> > mean that someone should run out and install everything from source.
> > That sort of defeatst the purpose of a distro.
> 
> sounds like all the same identical arguments can also be used for using
> the originating sources instead of *.deb  and the lag time between
> patches is up to the debian security team or *you/me* ... 
> 
> ones preferences to depend on *.debs should NOT make it better or worst
> than using *.tgz files released from the original sources
> 
> i prefer to have tighter and finer controls than depend on old packages

I agree. None of the packages in Woody are up to date unless you count
up-to-dateness as "within five years of the last released version."

I can tolerate the Debian environment, but when they can't decide whether or
not to actually release Sarge, and keep touting Woody as "stable" when even
a fully-updated Woody still has a crappy kernel* ... I start thinking about
de-racking my server, backing it up, and going BSD.

*: Linux LOVES to swap. I swap all the time on my 1.8ghz Athlon XP with 1GB
ram. However, my NetBSD machine with the same amount of ram running at the
same frequency NEVER swaps, due to the ability to tune the VM, and the
better VM (UVM) in general. The NetBSD server almost always has at least
twice if not three times as much going on (+ KDE3.4) than the Linux machine.
Yet still never swaps or lags. Wish I could say that for Debian Woody, but I
can't.

Reply to:

Follow-Ups:
- Re: root compromise on debian woody
  - From: Carl Fink <carlf@fink.to>
- Re: root compromise on debian woody
  - From: Jon Dowland <jon-dowland@ncl.ac.uk>

References:
- Re: root compromise on debian woody
  - From: "Roberto C. Sanchez" <roberto@familiasanchez.net>
- Re: root compromise on debian woody
  - From: Alvin Oga <aoga@mail.Linux-Consulting.com>

Prev by Date: Re: root compromise on debian woody
Next by Date: Re: thread indicator symbols in mutt
Previous by thread: Re: root compromise on debian woody
Next by thread: Re: root compromise on debian woody
Index(es):
- Date
- Thread