> > Just read it and tell me what you think about it. > > I think it has some valid points. He brings up issues that make sense and > should of been taken care of a long time ago (eg: commenting out archaic > services in inetd.conf, default homedir perms, etc). Maybe Debian > maintainers should go over 2.2 with a fine-tooth comb and release a 2.2.1 > security/system update?
But this guy talks about security holes just by checking package version numbers! He dosn't look what has been done with package (debian specific changes including backported fixes for security holes). I often wrote maintainers that Debian should implement right package versions. For example: package in Debian has number 1.4-1. Security hole is discovered and it's fixed in normal 1.5 version. But when this package (1.4-1) is in "frozen state" there is no posibility to generate package 1.5-1 and put it into frozen. So maintainer backports security fix and makes package 1.4-2 which has no security hole. But for guy like this writer (and for many normal users) this package has security hole. Not so many look at the changelogs or try exploits - they just look at package version (it's 1.4) and look at the advisory, in which they read that hole has been fixed in version 1.5 so they think that Debian is insecure. And I think this is big problem for most people. _________________ Leszek Gerwatowski [EMAIL PROTECTED]
