On Tue, Jul 01, 2003 at 12:47:36PM +0200, Boldizsar BENCSATH wrote: > What about something like this 5-minutes-change?: > > Template: samba/security_warning > Type: boolean > Default: false > Description: Warning! Serious Warning! > This version of samba contains remotely exploitable SERIOUS > vulnerabilities! > If you continue the install You will be definetly target of CRACKING > activity! > DO NOT INSTALL THIS VERSION OF SAMBA UNLESS YOU KNOW WHAT YOU ARE DOING! > If You don't know why are you going to install this version, you should > check > your debian version and security fixes lists (e.g. /etc/apt/sources.list) > and > Debian Security announcements! Do not use testing release if You cannot > afford > to keep up with the latest news!!! > Are You really-really want to install this vulnerable version of samba? > > and some db_get samba/security_warning in preinst script...
I would rather see the bugs fixed. They already have been; it's just that a few showstopper bugs need to be fixed before the new version goes in. > I know Your reasons not to include a bad version, but some reasons from > the practical side: > > -Many users do not read security mailing lists They have already lost if they do not AT LEAST subscribe to the notification lists that we provide. > -Many users have some reasons to use unstable/testing distribution (e.g. > libc6 compatibility issues with some not-debian-software) Then they should upgrade selective packages and monitor those packages for (e.g.) security problems. This is no reason to upgrade the entire system (for example, samba). > -They also need to be secure They need to work at this. It is not automatic. > -Or at least, we should push some warning for them We prominently declare on the web site that unreleased packages may have security problems and other bad bugs. > -Or at least, we should maintain some "extra" security effort to the > following packages: > exim,sendmail,apache,php,mysql,samba,ftpd,proftpd,pop3's. These are the > main packages and if they have a _remotely_ exploitable security hole, > then it is a bad policy to leave these packages in -even the unstable- > distro. If you know of any such bugs, report them if they are not reported already, and (if you can) fix them by providing patches. This is an old argument and I do not wish to go over it again. -- - mdz
