-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all,
It is an issue that's been bugging me for some time, and while I have tried to find good reasons, I have not, so I might as well write them down. I have a lot of respect for the security team, and I don't think I have anything to contribute other than my thoughts, but I'll try to share them. Many packages in stable are really outdated. After first installing Woody, I first thought that looking at the prospect of waiting one-and-a-half year for the next release would scare me away from Debian. Now that I've grown up a bit more, it doesn't. I'm perfectly fine with using backports for things like KDE. Also, if I was a sysadmin for a lot of boxes, supporting many not-too-savvy users, the release cycle is perfectly reasonable. For a stable system, pinning is not option, because you'll quite soon have to update things like libc6 if you do. It's not about that. Backports are fine for most purposes, and I'm fine with the release cycle. It's about a small handful of security-critical packages, like for example Snort. In the case of Snort, the security team has explicitly discouraged people from using the packages available in Woody, see DSA-297. I find it very hard to understand that in the cases where the security team strongly advises an upgrade, that the backported packages are not included in e.g. a point release. One may argue that such an upgrade will break some poor sysadmin's system, because he didn't expect an upgrade containing new features, or where old features were perhaps deprecated. However, if he had a clue, he wouldn't be using the packages to begin with. If it breaks his system, it was time he got a wake-up call anyway. I can't see that this is a valid argument. One could also argue that if many backages had to be backported to the old stable architecture, one would introduce instability because of the lack of extensive testing. To this, there are two responses: First of all, using outdated packages doesn't really give you much either, and some instabiliy is perhaps better than a package that gives you a false sense of security. Secondly, it is never going to be a lot of packages. The packages I can think immediately this is important for are snort and chkrootkit. It will probably be at most 1 in a 1000 packages that this concerns. Surely, things like SpamAssassin should be kept up-to-date, but it is a different problem to address, and one that I currently feel is adequately addressed by Norberts backports.org. Finally, there is a good argument, I think it was Tom Allison who forwarded it when I brought the issue up on debian-user, that if the backports would depend on an upgrade of other packages, like libc6, the system would soon be unstable. That's a very good point, but as far as I can see, there are working backports of snort and chkrootkit to Woody. In most cases, I would presume, you don't need to upgrade dependencies. An upgrade of a package would then just influence that package. So, this is just about the very few packages the security team feels are so outdated, one advice people not to use them. For those packages, the question is: What is the advantage of keeping so outdated packages in the archive? This is somewhat relevant to the point Ryan just raised in his recent post about "better apt security with 3rd-party sites", since having outdated packages in the archive makes people use backports from 3rd-party sites, and you don't know the validity of these packages. It seems to me to be a perfect way to trojan a newbie's machines: The newbie hears on debian-user that he must update some of these packages: So, there is a malicious cracker who put a site up with "official updates", and the newbie adds it to his sources.list. Instantly, he gets a version of Snort that ignores attacks and chkrootkit with a rootkit... Even if you could use debsigs, a newbie probably couldn't verify the package anyway, due to the lack of personal WOT. I think it is a rather bad situation. Again, I'm fine with backports for many packages, and I'm fine with the general release cycle, it's just the small number of critical security-related packages that I feel needs some discussion. Best, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFABrIYlE/Gp2pqC7wRAs97AJ4kDjfjvYkEQOaMcXWUSR6gyW/MtQCfbE6w qYhFpBeLyO8l8PgfOyF6+QU= =rVlB -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
