Hi,
When packages reach LTS, users have been using them for years, and it
makes sense we try our best to fix vulnerabilities, and when that proves
near-impossible, we mark them unsupported on a case-by-case basis. This
accounts for poorly written software, but more often orphaned projects,
codebases that change too fast, upstream EOL in
high-complexity+hard-to-test projects, etc.
Pushing your point, we'd need to consider all software insecure by
default, perform regular code audits on the full Debian archive, which
would be very costly, and blocking packages from reaching testing, which
would introduce another bottleneck there.
I'd add that we have room for improvements on our own reactivity.
TL;DR, I think we're good as-is.
Cheers!
Sylvain
On 11/02/2021 23:00, Brian May wrote:
Hello,
I notice that the quality of our packages can vary significantly. Some
get frequent security updates, while with others the author appears to
be confused just what an SQL injection attack is and how to prevent it.
Not going to name names here, because they have done a wonderful job in
developing the software, publishing it as open source, and getting it
into Debian. And they most likely are not-paid and doing this on their
own time. I think that possibly there are a number of packages and
different (possibly seriously time constrained) authors here.
Plus Debian doesn't seem to have any requirement that packages should be
vaguely secure before a new package in accepted (maybe this needs to
change?).
However, I was wondering if we should even try to support such software
that obviously has not been written to have any level of security? As
even if we patch one CVE - chances are there are many more security
waiting to be found. We are providing a disservice to our users by
pretending that all software is secure, when obviously it is not.
Yes, this could also result in a flame war with the author too. Which I
would rather avoid. Maybe though people who are keen enough, and have
time, to enter a flame war, are also keep enough to help fix the
problems.
But I am not sure that treating all software as equal, when it obviously
isn't, is a good thing for our users.
Yes, users can look up our security trackers, not sure how much this
helps though. A lot of these open security issues aren't necessarily
serious issues that warrant concern.
Any ideas, comments?
