Greetings, Am Samstag, 18. Juni 2005 09:04 schrieb Helmut Toplitzer: > Hi! > > Just a few remarks: > > << Use unstable or testing, and apply security fixes yourself. Over > > To my opinion this is a bad suggestion. Maybe my last mail was a bit > unclear about this. As security is a process rather than a state, > your systems will hardly ever have all the available security-patches. > (Not to note that it's not possible to keep up with this job > if you are alone with it, which will be the fact if you do it by > hand for testing/unstable.)
Well, not necessary, security, as done - is a process and and a state. You do either configure your deamons to run less-privilged chroot'ed or you don't. This is no process in this. > So the question is how to deal with this. As every distribution has > a security-team these days Not every... > (or at least should have) it is possible > to get the security-patches in (quite short) time. Well. what is a "short time" here? > They established a > processes how these patches get into the distributions and do a lot > of communication with each other that none is missed. At least we hope. > (And if you ever tried to, you will know that this is a quite complex > job to do if you want to do it well.) Of course, at least consider the amount of packages. > As result a lot of people rely on the work of these teams. > Especially Debian has a very "open" way to do this. This is wrong, (more or less). Debian has access to non-disclosed information. If you interpret the d-s-c in a strict way, it is not allowed, too - but AFAIK this has never been a big issue (?) (However this is quite difficult to discuss, 'cause full- vs. non disclosure is not settled at all) > Security > problems a handled publicly if there's no request to do it not > this way. No. > So if you protect your systems (more than 2) by these updates, you would > be well advised to establish a process yourself how you get them onto > your system and how - in general - you keep them more or less secure. No. The truth is (at the moment and in the near past), that you have to backport the patches by yourself - But Debian offers a framework for porting. > And the information if Debian-Security is > working as expected is a very valuable one to people who did this. How do you define "expected" ? Debian security is not a just-in-time-patch delivery service working 24/7. Imho Debian security is a instance allowing patches to get into stable. So if you set up stable years after it's release, it is realistic to assume, that no vuln older than a couple of months/ weeks is included (if a patch is available). (Well, they were some, even in essential packages, but you'll know them if you follow this list) > Hopefully my considerations are clear now. (This mail became much > longer than I wanted.) Your consideration are quite clear, but imho you expect to much. I decided to stop moaning and criticizing because - I cannot do better - I don't pay them - they are volunteers - I don't have to use their services - I said a lot, I triggered some processes I don't like to have happened - I bashed on the wrong guys. Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
