Re: Why is Debian not telling the truth about its security fixes?
On Sat, Jan 22, 2022 at 02:23:48PM +0100, max wrote:
> This is a text-only version of my post on https://medium.com/@maxwillb/why-is-debian-not-telling-the-truth-about-its-security-fixes-85f0f85f19a0
> It is missing hyperlinks and illustrations. Comments, corrections and suggestions are very welcome.
>
> ---
>
> WHY IS DEBIAN NOT TELLING THE TRUTH ABOUT ITS SECURITY FIXES?
>
> Debian is a Linux distribution. As such, it repackages open-source software created by others. The packages distributed by Debian usually lag quite a bit behind the most up-to-date versions. This allows them to be better-tested. However, when security flaws are inevitably discovered, they usually get fixed only in the up-to-date versions. So someone must adapt and apply these fixes to the older versions redistributed by Debian. And this is precisely what Debian promises to do
>
> [PIC]
>
> On debian.org/security, linked from the front page, it states:
>
> "Debian takes security very seriously. We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe. Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public and we also have a Security Audit team that reviews the archive looking for new or unfixed security bugs."
>
> Debian’s Wikipedia page echos and amplifies these claims, citing Debian itself:
>
> "Debian security advisories are compatible with the Common Vulnerabilities and Exposures dictionary, are usually coordinated with other free software vendors and are published the same day a vulnerability is made public."
>
> “Debian security advisories are published the same day a vulnerability is made public”?!
>
> [PIC]
>
> These claims are widely believed by Debian users, but they are false. On Debian’s own little-known security-tracker, we can see open security vulnerabilities that are quite old. For example this HIGH-severity vulnerability took 4.5 months to fix in Debian.
>
This discussion has been had several times: you've raised it several times
and been answered several times. Debian does fix security problems - and is
open about them.
> Additionally, I noticed that the vulnerability severity ratings given by the National Vulnerability Database (NVD) are often shown incorrectly by Debian. For example, this vulnerability is rated “9.6 CRITICAL” by NVD, and there are in fact known exploits for it in the wild. But it’s still shown as having a “medium” NVD rating by Debian:
>
> [PIC]
>
Debian can feel free to set its own ratings based on how straightforwardly ti
affects Debian packages as a whole: a kernel vulnerability that affects
10,000 users at medium _might_ be higher impact than a vulnerability
affecting one browser for far fewer users, as an example.
> I suspected that at least some Debian developers (unlike its users) were aware that debian.org/security was taking liberties with the truth. It also seemed implausible that no one had noticed that the NVD ratings were often wrong. However, I try to assume good faith, so under the assumption that these problems were somehow an institutional oversight, rather than intentional lies, I submitted my concerns to the debian-security mailing list.
>
> PRESS RELEASES
>
> Debian likes its press releases. Directly on its front page, we can see a press release for a minor version bump, and another press release announcing that it excommunicated one of its 1000 members.
>
> [PIC]
>
> Surely, correcting a key falsehood that’s been told to countless users, undecided users, donors (Debian’s main source of revenue), and prominently relayed to Wikipedia readers, would at least warrant a press release also and require swift action to minimize continued damage?
>
You use the term falsehood - as if [all of] Debian were consistently lying to
all its users. I don't think that is justifiable here - I'd remind you of
the Debian Code of Conduct which applies here as in all Debian mailing lists
and IRC channels.
> DEBIAN'S RESPONSE
>
> One Debian developer replied with a minor critique of my proposed new text (which I addressed) and asked me to send my concerns about wrong NVD ratings as a separate email (which I did). Another Debian developer replied to him, dismissing my concerns about wrong NVD ratings:
>
> "We are going to stop anyway at some point displaying the NVD severity, for context see #992115."
>
> I disagreed with his reasoning not to issue a correction and to continue showing wrong NVD ratings. And since he completely ignored my main concern, and it had been 17 days after my original post, without any action or discussion, I inquired about progress there. This is when something sociologically interesting happened: A third Debian developer, apparently irritated, decided to just shut me up:
>
> "Maybe at some time you could just stop keeping on insisting on that matter?"
>
> Note that I wasn’t flooding the mailing list. The messages linked above are all that I had sent to the mailing list up to that point. He followed up with a threat of a ban.
>
> Will Debian ever live up to its “Social Contract” that includes “Not hiding problems with the software or organization”? Will it apologize for misleading countless people? Given Debian’s response so far, I’m not very hopeful.
>
> --
> Sent with https://mailfence.com
> Secure and private email
>
There are other threads about problems with web browsers - specifically
Firefox and Chromium, the pace of change of upstream and the difficulties
with support for all Debian distributions. It's noteworthy that Debian
will supply the latest browsers available but these have to be built
using a toolchain available in each distributon - so stable, oldstable
[oldoldstable] and this can take time. It's also true that Debian builds
these packages for more architectures than others - it may be that
upstream only really cares about 64 bit Intel / Android for example.
It's also not unknown for packages to be dropped in point releases
because they become unmaintainable and, in fact, that's one of the
reasons that Debian (and others) switched to the Firefox ESR releases.
With every good wish, as ever,
Andrew Cater
Reply to: