On Wed, Feb 4, 2015 at 6:49 PM, Michael Gilbert <mgilb...@debian.org> wrote:
> On Wed, Feb 4, 2015 at 8:09 PM, Stephen Dowdy wrote:
>> So, if a user installs said package, but fails to notice any EOL DSA
>> on it, the package gets left in place in a potentially VULNERABLE
>> state. I.E. if a known exploit comes out, and the package is still
>> installed, the end-user could get a nasty surprise thinking that
>> because they've added security support to apt-sources and regularly
>> update, that they are protected. This is a non-optimal and undesired
>> end-result.
>
> The debian-security-support package somewhat addresses those concerns
> [0], but it is not currently installed by default. There was some
> discussion to make that happen, but hasn't been followed through.
Ah, that's useful to know, and that would be a a reasonable solution.
However, that package depends upon being current and having the
ended&limited support db files updated
$ check-support-status -V
version 2014.09.07
$ grep chromium /usr/share/debian-security-support/* || echo "Chromium
not listed"
Chromium not listed
It's been less than a week since 'chromium' support was EOL'd, so hopefully
soon 'debian-security-support' will get that updated info.
To me, that's a satisfactory solution, again, depending upon it being
maintained. I'll ensure that our default FAI config includes that package
from here out.
(additionally, a site administrator could, using those DBs manage package
de-installation / deactivation or security-alert wrapper scriptage even
automatically from it)
>> Note that chromium is in 'main' -- not 'contrib' or ..., so there's a
>> valid expectation that its security support won't just silently stop
>> -- unlike the other FAQ entry that says there's basically no security
>> support or contrib, non-free..
>
> I'm not sure where you get the "silently" concern from, but this topic
> is already discussed in wheezy's release notes [1]. The problem with
> that of course you'll point out is that users often don't read that...
By "silently", i mean that the package would continue to operate w/o
warning that it's possibly vulnerable (sans any external info such as
checking DSAs or having an updated 'debian-security-support' package and
independently running it to identify the problem). I've often injected
shell-script wrappers around problematic packages to warn users via
dialog/kdialog/simple-message that the package is vulnerable/problematical,
etc -- until the problem's rectified.
Yeah, it's hard to read (and brain-store) multiple hundred page manuals for
all the stuff a sysadmin is responsible for on a regular basis. That's why
i appealed to folks like you to set me straight ;)
> Best wishes,
> Mike
>
> [0] https://packages.qa.debian.org/d/debian-security-support.html
> [1]
https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security
Thanks!
--stephen
--
Stephen Dowdy - Systems Administrator - NCAR/RAL
303.497.2869 - sdo...@ucar.edu - http://www.ral.ucar.edu/~sdowdy/
