Re: debian.org/security is wrong to say what it does

To: debian-user@lists.debian.org
Subject: Re: debian.org/security is wrong to say what it does
From: "Andrew M.A. Cater" <amacater@einval.com>
Date: Sun, 26 Dec 2021 21:51:36 +0000
Message-id: <[🔎] Ycjj6CUDt5ul7kVx@einval.com>
In-reply-to: <[🔎] 600413121.535764.1640551007058@ichabod.co-bxl>
References: <[🔎] 461915924.365881.1640387246679@ichabod.co-bxl> <[🔎] YccT2zGMlPm7E5wu@einval.com> <[🔎] 240282256.412431.1640442971976@ichabod.co-bxl> <Ycc169WpEGYNBkuj@einval.com> <[🔎] 1938169314.453842.1640477993202@ichabod.co-bxl> <[🔎] YchfOiBhmDWG3Eac@einval.com> <[🔎] 600413121.535764.1640551007058@ichabod.co-bxl>

On Sun, Dec 26, 2021 at 09:36:47PM +0100, maxwillb wrote:
> December 26, 2021 1:25:30 PM CET "Andrew M.A. Cater" <amacater@einval.com> wrote:
> 
> > but that doesn't mean that everything marked as vulnerable is still at risk.
> 

Hi maxwillb

I've tried to explain what I understand by the security tracker.

The security tracker is based on sid / Debian unstable and if it is fixed
in Sid, it's marked as such and others are automatically marked as vulnerable.
That doesn't mean to say that each distribution point marked as vulnerable
remains vulnerable throughout the life of the distribution: maintainers
are constantly fixing stuff.

> I couldn't understand what you meant, and figured you were referring to some extra hardening done by Debian. Did some googling, and apparently, it's the opposite. Debian disables Chromium's own hardening?
> 
> https://www.whonix.org/wiki/Dev/Chromium#Chromium_Debian_Package_Security

Whonix is itself based on Debian. Each distribution does its own thing.

If you are not sure on what is patched or why, maintainers can 
probably tell you. Just reading patch sets very quickly there are 
bits that don't need to be included. If the only "official" build of
Chromium comes from Google/Alphabet, then it's not for Debian to set that,
for example, and Debian doesn't build for Android.

> 
> """
> Thus, the Debian Chromium has substantially worsened
> security than an official version. However, despite this,
> it may still be more secure than Firefox (Firefox never
> had many of the disabled mitigations in the first place).
> """
> 
> > If you're unhappy with data presentation, feel free to contact the security team
> 
> Am I the only one unhappy with it? Are you happy with it?
> 

I'm not particularly unhappy with it and not as upset as you appear to be.
I hang around here to try and help users: I publish the monthly FAQ
but I'm not necessarily authoritative and my opinions can always be very
wrong.

I think I've probably said enough on this topic: I'd hoped to be more clear
but it's obvious to me that it is probably not productive for me to labour
the point further. Happy to help where I can, however.

With every good wish, as ever,

Andy Cater

> -- 
> Sent with https://mailfence.com  
> Secure and private email
>

Reply to:

References:
- How to see the list of CRITICALLY vulnerable packages in Debian?
  - From: maxwillb <maxwillb@mailfence.com>
- Re: How to see the list of CRITICALLY vulnerable packages in Debian?
  - From: "Andrew M.A. Cater" <amacater@einval.com>
- Re: How to see the list of CRITICALLY vulnerable packages in Debian?
  - From: maxwillb <maxwillb@mailfence.com>
- debian.org/security is wrong to say what it does
  - From: maxwillb <maxwillb@mailfence.com>
- Re: debian.org/security is wrong to say what it does
  - From: "Andrew M.A. Cater" <amacater@einval.com>
- Re: debian.org/security is wrong to say what it does
  - From: maxwillb <maxwillb@mailfence.com>

Prev by Date: Re: debian.org/security is wrong to say what it does
Next by Date: Re: Firefox ESR EOL
Previous by thread: Re: debian.org/security is wrong to say what it does
Next by thread: Re: How to see the list of CRITICALLY vulnerable packages in Debian?
Index(es):
- Date
- Thread