Re: Why is Debian not telling the truth about its security fixes?

To: debian-user@lists.debian.org
Subject: Re: Why is Debian not telling the truth about its security fixes?
From: Stefan Monnier <monnier@iro.umontreal.ca>
Date: Sat, 22 Jan 2022 17:35:39 -0500
Message-id: <[🔎] jwvr18zct8m.fsf-monnier+gmane.linux.debian.user@gnu.org>
References: <[🔎] 1234584452.548394.1642857828702@ichabod.co-bxl>

> These claims are widely believed by Debian users, but they are false. On
> Debian’s own little-known security-tracker, we can see open security
> vulnerabilities that are quite old. For example this HIGH-severity
> vulnerability took 4.5 months to fix in Debian.

Chrome is proprietary, hence not part of Debian.
This has been pointed out to you already in the past.  This makes me
feel like you do not write in good faith (tho maybe you just don't
understand the concept of Free Software and confuse it with software
that's distributed free of charge).

> Additionally, I noticed that the vulnerability severity ratings given by
> the National Vulnerability Database (NVD) are often shown incorrectly by
> Debian. For example, this vulnerability is rated “9.6 CRITICAL” by NVD, and
> there are in fact known exploits for it in the wild. But it’s still shown as
> having a “medium” NVD rating by Debian:

Huh... this is about Chrome, again.  Is your post about Debian or about Chrome?

> I suspected that at least some Debian developers (unlike its users) were
> aware that debian.org/security was taking liberties with the truth.

I think you're just misreading the official statement.
The statement does not say that bugs are fixed within a day.  It says
that advisories are sent within a day.  And then says that bugs are
fixed "within a reasonable timeframe".

What's reasonable is obviously in the eye of the beholder, but of course
the focus will be on packages considered important for Debian.
I don't think Chrome is considered as an important package for Debian.
Maybe it is for Ubuntu, and it definitely is for Google, but it's
clearly quite secondary for Debian.

So I don't see any factual errors or "taking liberties with the truth"
in Debian's statement.

> Will Debian ever live up to its “Social Contract” that includes “Not hiding
> problems with the software or organization”? Will it apologize for
> misleading countless people? Given Debian’s response so far, I’m not
> very hopeful.

I don't know.  But I wonder if Max will apologize for misleading
their readers by focusing on bugs that only affect packages which aren't
even in Debian.


        Stefan

Reply to:

Follow-Ups:
- Re: Why is Debian not telling the truth about its security fixes?
  - From: Pierre-Elliott Bécue <peb@debian.org>

References:
- Why is Debian not telling the truth about its security fixes?
  - From: max <maxwillb@mailfence.com>

Prev by Date: Re: hostname is being reset, killing net on reboot
Next by Date: Re: firefox and limited bookmarks. WTH?
Previous by thread: Re: Why is Debian not telling the truth about its security fixes?
Next by thread: Re: Why is Debian not telling the truth about its security fixes?
Index(es):
- Date
- Thread