Re: Why is Debian not telling the truth about its security fixes?
On Sat, Jan 22, 2022 at 07:01:24PM +0000, Tim Woodall wrote:
> On Sat, 22 Jan 2022, max wrote:
>
> >
> > WHY IS DEBIAN NOT TELLING THE TRUTH ABOUT ITS SECURITY FIXES?
> >
> snip rant.
>
> I could have the opposite rant. WHY IS DEBIAN NOT TELLING THE TRUTH
> ABOUT ITS STABLE DISTRIBUTION.
>
> Because I have a machine (actually more than one) sat running buster
> that has SSH listening but can only be reached via limited routes.
>
> And the installed browser is able to connect only to the local network
> too. On that local network there is a proxy - but that proxy does not
> let this machine connect anywhere.
>
> This machine runs xvnc (or something like that, off the top of my head I
> forget exactly which vnc service it is running) and in order to actually
> connect to the vnc server you have to use ssh forwarding via public key
> authentication.
>
> That machine has exactly one use, and that is to enable me to connect to
> the IPMI console on two servers. The ipmi itself is presumed not safe to
> expose and so is also firewalled from everything else.
>
> For obvious reasons these machines are required rarely, but when
> everything else is breaking it is critical that they work. (This is my
> home network so techically pysically plugging in a screen and keyboard
> is only a 10 minute job rather than a remote hands request)
>
> I want to keep ssh up to date, that's the one thing that does need to be
> remotely accessible. but I'm laid back about everything else. And yet,
> java updates, firefox updates *regularly* break things because the (no
> updates available) IPMI firmware is using "insecure" security settings.
>
>
> I would rather debian stable continued to carry a version of the various
> major browsers than they dropped it completely. But dropping it is the
> most likely thing to happen if the people who complain the loudest don't
> step up and do the work to keep it completely up to date.
>
> I'm pretty sure that if someone steps up to do all the work to package
> each esr release of chromium/firefox then debian will be likely to take
> them (expecially if they're fixing known security issues) even if
> they're going to break the normal debian stable compatibility rules. But
> this is a lot of work. All this ranting is going to achieve is moving
> firefox debs to a third party repo, making it more difficult for those
> of us who have a use case for a "good enough" browser and have other
> ways to avoid security issues in the browser.
>
I might suggest netsurf as a very lightweight browser that is very
well maintained by a dedicated bunch of folk - it's also cross platform
though I've no idea whether it will work with your IPMI.
Debian perforce has to adopt the upstream decisions of the originators
of Firefox/Chromium - but the requirement of having to build on each
release is not negotiable, I think, or the oldstable releases end
up as a mess of incompatible libraries. Buster, of course, is not the
current stable but is still supported by the main Debian security team
to 2022-08-14 and the LTS team until 2024.
With every good wish, as ever,
Andy Cater
>
> FTAOD, I think the debian volunteers are doing a great job and while I
> might wish that their efforts were focused on exactly MY needs, I'll
> take whatever they're willing to give with a thank you (and an
> occasional, unwarranted, moan).
>
Reply to: