Re: Why is Debian not telling the truth about its security fixes?

To: max <maxwillb@mailfence.com>
Cc: Debian User <debian-user@lists.debian.org>
Subject: Re: Why is Debian not telling the truth about its security fixes?
From: Tim Woodall <debianuser@woodall.me.uk>
Date: Sat, 22 Jan 2022 19:01:24 +0000 (GMT)
Message-id: <[🔎] alpine.DEB.2.21.2201221826300.24926@einstein.home.woodall.me.uk>
In-reply-to: <[🔎] 1234584452.548394.1642857828702@ichabod.co-bxl>
References: <[🔎] 1234584452.548394.1642857828702@ichabod.co-bxl>

On Sat, 22 Jan 2022, max wrote:


WHY IS DEBIAN NOT TELLING THE TRUTH ABOUT ITS SECURITY FIXES?

snip rant.

I could have the opposite rant. WHY IS DEBIAN NOT TELLING THE TRUTH
ABOUT ITS STABLE DISTRIBUTION.

Because I have a machine (actually more than one) sat running buster
that has SSH listening but can only be reached via limited routes.

And the installed browser is able to connect only to the local network
too. On that local network there is a proxy - but that proxy does not
let this machine connect anywhere.

This machine runs xvnc (or something like that, off the top of my head I
forget exactly which vnc service it is running) and in order to actually
connect to the vnc server you have to use ssh forwarding via public key
authentication.

That machine has exactly one use, and that is to enable me to connect to
the IPMI console on two servers. The ipmi itself is presumed not safe to
expose and so is also firewalled from everything else.

For obvious reasons these machines are required rarely, but when
everything else is breaking it is critical that they work. (This is my
home network so techically pysically plugging in a screen and keyboard
is only a 10 minute job rather than a remote hands request)

I want to keep ssh up to date, that's the one thing that does need to be
remotely accessible. but I'm laid back about everything else. And yet,
java updates, firefox updates *regularly* break things because the (no
updates available) IPMI firmware is using "insecure" security settings.


I would rather debian stable continued to carry a version of the various
major browsers than they dropped it completely. But dropping it is the
most likely thing to happen if the people who complain the loudest don't
step up and do the work to keep it completely up to date.

I'm pretty sure that if someone steps up to do all the work to package
each esr release of chromium/firefox then debian will be likely to take
them (expecially if they're fixing known security issues) even if
they're going to break the normal debian stable compatibility rules. But
this is a lot of work. All this ranting is going to achieve is moving
firefox debs to a third party repo, making it more difficult for those
of us who have a use case for a "good enough" browser and have other
ways to avoid security issues in the browser.


FTAOD, I think the debian volunteers are doing a great job and while I
might wish that their efforts were focused on exactly MY needs, I'll
take whatever they're willing to give with a thank you (and an
occasional, unwarranted, moan).

Reply to:

Follow-Ups:
- Re: Why is Debian not telling the truth about its security fixes?
  - From: "Andrew M.A. Cater" <amacater@einval.com>

References:
- Why is Debian not telling the truth about its security fixes?
  - From: max <maxwillb@mailfence.com>

Prev by Date: Re: hostname is being reset, killing net on reboot
Next by Date: Re: smartd
Previous by thread: Re: Why is Debian not telling the truth about its security fixes?
Next by thread: Re: Why is Debian not telling the truth about its security fixes?
Index(es):
- Date
- Thread