Re: Why is Debian not telling the truth about its security fixes?
Stefan Monnier <monnier@iro.umontreal.ca> wrote on 22/01/2022 at 23:35:39+0100:
>> These claims are widely believed by Debian users, but they are false. On
>> Debian’s own little-known security-tracker, we can see open security
>> vulnerabilities that are quite old. For example this HIGH-severity
>> vulnerability took 4.5 months to fix in Debian.
>
> Chrome is proprietary, hence not part of Debian.
I wonder if these bugs aren't also impacting chromium? I did not have
time to look into it so I may be wrong.
> This has been pointed out to you already in the past. This makes me
> feel like you do not write in good faith (tho maybe you just don't
> understand the concept of Free Software and confuse it with software
> that's distributed free of charge).
>
>> Additionally, I noticed that the vulnerability severity ratings given by
>> the National Vulnerability Database (NVD) are often shown incorrectly by
>> Debian. For example, this vulnerability is rated “9.6 CRITICAL” by NVD, and
>> there are in fact known exploits for it in the wild. But it’s still shown as
>> having a “medium” NVD rating by Debian:
>
> Huh... this is about Chrome, again. Is your post about Debian or about Chrome?
>
>> I suspected that at least some Debian developers (unlike its users) were
>> aware that debian.org/security was taking liberties with the truth.
>
> I think you're just misreading the official statement.
> The statement does not say that bugs are fixed within a day. It says
> that advisories are sent within a day. And then says that bugs are
> fixed "within a reasonable timeframe".
>
> What's reasonable is obviously in the eye of the beholder, but of course
> the focus will be on packages considered important for Debian.
> I don't think Chrome is considered as an important package for Debian.
> Maybe it is for Ubuntu, and it definitely is for Google, but it's
> clearly quite secondary for Debian.
>
> So I don't see any factual errors or "taking liberties with the truth"
> in Debian's statement.
>
>> Will Debian ever live up to its “Social Contract” that includes “Not hiding
>> problems with the software or organization”? Will it apologize for
>> misleading countless people? Given Debian’s response so far, I’m not
>> very hopeful.
>
> I don't know. But I wonder if Max will apologize for misleading
> their readers by focusing on bugs that only affect packages which aren't
> even in Debian.
Now that I read the press release paragraph and the reference to
Pocock's "excommunication", I start wondering if Max, who never wrote on
any Debian List before last month is yet another trollesque incarnation
of the forementioned Pocock.
--
PEB
Reply to: