Re: Why is Debian not telling the truth about its security fixes?

To: Stefan Monnier <monnier@iro.umontreal.ca>
Cc: debian-user@lists.debian.org
Subject: Re: Why is Debian not telling the truth about its security fixes?
From: Pierre-Elliott Bécue <peb@debian.org>
Date: Sun, 23 Jan 2022 11:21:31 +0100
Message-id: <[🔎] 87v8yaeojw.fsf@jaatynyt>
In-reply-to: <[🔎] jwvr18zct8m.fsf-monnier+gmane.linux.debian.user@gnu.org>
References: <[🔎] 1234584452.548394.1642857828702@ichabod.co-bxl> <[🔎] jwvr18zct8m.fsf-monnier+gmane.linux.debian.user@gnu.org>

Stefan Monnier <monnier@iro.umontreal.ca> wrote on 22/01/2022 at 23:35:39+0100:

>> These claims are widely believed by Debian users, but they are false. On
>> Debian’s own little-known security-tracker, we can see open security
>> vulnerabilities that are quite old. For example this HIGH-severity
>> vulnerability took 4.5 months to fix in Debian.
>
> Chrome is proprietary, hence not part of Debian.

I wonder if these bugs aren't also impacting chromium? I did not have
time to look into it so I may be wrong.

> This has been pointed out to you already in the past.  This makes me
> feel like you do not write in good faith (tho maybe you just don't
> understand the concept of Free Software and confuse it with software
> that's distributed free of charge).
>
>> Additionally, I noticed that the vulnerability severity ratings given by
>> the National Vulnerability Database (NVD) are often shown incorrectly by
>> Debian. For example, this vulnerability is rated “9.6 CRITICAL” by NVD, and
>> there are in fact known exploits for it in the wild. But it’s still shown as
>> having a “medium” NVD rating by Debian:
>
> Huh... this is about Chrome, again.  Is your post about Debian or about Chrome?
>
>> I suspected that at least some Debian developers (unlike its users) were
>> aware that debian.org/security was taking liberties with the truth.
>
> I think you're just misreading the official statement.
> The statement does not say that bugs are fixed within a day.  It says
> that advisories are sent within a day.  And then says that bugs are
> fixed "within a reasonable timeframe".
>
> What's reasonable is obviously in the eye of the beholder, but of course
> the focus will be on packages considered important for Debian.
> I don't think Chrome is considered as an important package for Debian.
> Maybe it is for Ubuntu, and it definitely is for Google, but it's
> clearly quite secondary for Debian.
>
> So I don't see any factual errors or "taking liberties with the truth"
> in Debian's statement.
>
>> Will Debian ever live up to its “Social Contract” that includes “Not hiding
>> problems with the software or organization”? Will it apologize for
>> misleading countless people? Given Debian’s response so far, I’m not
>> very hopeful.
>
> I don't know.  But I wonder if Max will apologize for misleading
> their readers by focusing on bugs that only affect packages which aren't
> even in Debian.

Now that I read the press release paragraph and the reference to
Pocock's "excommunication", I start wondering if Max, who never wrote on
any Debian List before last month is yet another trollesque incarnation
of the forementioned Pocock.

-- 
PEB

Reply to:

Follow-Ups:
- Re: Why is Debian not telling the truth about its security fixes?
  - From: max <maxwillb@mailfence.com>

References:
- Why is Debian not telling the truth about its security fixes?
  - From: max <maxwillb@mailfence.com>
- Re: Why is Debian not telling the truth about its security fixes?
  - From: Stefan Monnier <monnier@iro.umontreal.ca>

Prev by Date: Re: Why did Norbert Preining (having maintained KDE) left Debian?
Next by Date: Re: Why did Norbert Preining (having maintained KDE) left Debian?
Previous by thread: Re: Why is Debian not telling the truth about its security fixes?
Next by thread: Re: Why is Debian not telling the truth about its security fixes?
Index(es):
- Date
- Thread