This is a text-only version of my post on https://medium.com/@maxwillb/why-is-debian-not-telling-the-truth-about-its-security-fixes-85f0f85f19a0 It is missing hyperlinks and illustrations. Comments, corrections and suggestions are very welcome.
--- WHY IS DEBIAN NOT TELLING THE TRUTH ABOUT ITS SECURITY FIXES? Debian is a Linux distribution. As such, it repackages open-source software created by others. The packages distributed by Debian usually lag quite a bit behind the most up-to-date versions. This allows them to be better-tested. However, when security flaws are inevitably discovered, they usually get fixed only in the up-to-date versions. So someone must adapt and apply these fixes to the older versions redistributed by Debian. And this is precisely what Debian promises to do [PIC] On debian.org/security, linked from the front page, it states: "Debian takes security very seriously. We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe. Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public and we also have a Security Audit team that reviews the archive looking for new or unfixed security bugs." Debian’s Wikipedia page echos and amplifies these claims, citing Debian itself: "Debian security advisories are compatible with the Common Vulnerabilities and Exposures dictionary, are usually coordinated with other free software vendors and are published the same day a vulnerability is made public." “Debian security advisories are published the same day a vulnerability is made public”?! [PIC] These claims are widely believed by Debian users, but they are false. On Debian’s own little-known security-tracker, we can see open security vulnerabilities that are quite old. For example this HIGH-severity vulnerability took 4.5 months to fix in Debian. Additionally, I noticed that the vulnerability severity ratings given by the National Vulnerability Database (NVD) are often shown incorrectly by Debian. For example, this vulnerability is rated “9.6 CRITICAL” by NVD, and there are in fact known exploits for it in the wild. But it’s still shown as having a “medium” NVD rating by Debian: [PIC] I suspected that at least some Debian developers (unlike its users) were aware that debian.org/security was taking liberties with the truth. It also seemed implausible that no one had noticed that the NVD ratings were often wrong. However, I try to assume good faith, so under the assumption that these problems were somehow an institutional oversight, rather than intentional lies, I submitted my concerns to the debian-security mailing list. PRESS RELEASES Debian likes its press releases. Directly on its front page, we can see a press release for a minor version bump, and another press release announcing that it excommunicated one of its 1000 members. [PIC] Surely, correcting a key falsehood that’s been told to countless users, undecided users, donors (Debian’s main source of revenue), and prominently relayed to Wikipedia readers, would at least warrant a press release also and require swift action to minimize continued damage? DEBIAN'S RESPONSE One Debian developer replied with a minor critique of my proposed new text (which I addressed) and asked me to send my concerns about wrong NVD ratings as a separate email (which I did). Another Debian developer replied to him, dismissing my concerns about wrong NVD ratings: "We are going to stop anyway at some point displaying the NVD severity, for context see #992115." I disagreed with his reasoning not to issue a correction and to continue showing wrong NVD ratings. And since he completely ignored my main concern, and it had been 17 days after my original post, without any action or discussion, I inquired about progress there. This is when something sociologically interesting happened: A third Debian developer, apparently irritated, decided to just shut me up: "Maybe at some time you could just stop keeping on insisting on that matter?" Note that I wasn’t flooding the mailing list. The messages linked above are all that I had sent to the mailing list up to that point. He followed up with a threat of a ban. Will Debian ever live up to its “Social Contract” that includes “Not hiding problems with the software or organization”? Will it apologize for misleading countless people? Given Debian’s response so far, I’m not very hopeful. -- Sent with https://mailfence.com Secure and private email
