Stefan Monnier <monn...@iro.umontreal.ca> wrote on 22/01/2022 at 23:35:39+0100:
>> These claims are widely believed by Debian users, but they are false. On >> Debian’s own little-known security-tracker, we can see open security >> vulnerabilities that are quite old. For example this HIGH-severity >> vulnerability took 4.5 months to fix in Debian. > > Chrome is proprietary, hence not part of Debian. I wonder if these bugs aren't also impacting chromium? I did not have time to look into it so I may be wrong. > This has been pointed out to you already in the past. This makes me > feel like you do not write in good faith (tho maybe you just don't > understand the concept of Free Software and confuse it with software > that's distributed free of charge). > >> Additionally, I noticed that the vulnerability severity ratings given by >> the National Vulnerability Database (NVD) are often shown incorrectly by >> Debian. For example, this vulnerability is rated “9.6 CRITICAL” by NVD, and >> there are in fact known exploits for it in the wild. But it’s still shown as >> having a “medium” NVD rating by Debian: > > Huh... this is about Chrome, again. Is your post about Debian or about > Chrome? > >> I suspected that at least some Debian developers (unlike its users) were >> aware that debian.org/security was taking liberties with the truth. > > I think you're just misreading the official statement. > The statement does not say that bugs are fixed within a day. It says > that advisories are sent within a day. And then says that bugs are > fixed "within a reasonable timeframe". > > What's reasonable is obviously in the eye of the beholder, but of course > the focus will be on packages considered important for Debian. > I don't think Chrome is considered as an important package for Debian. > Maybe it is for Ubuntu, and it definitely is for Google, but it's > clearly quite secondary for Debian. > > So I don't see any factual errors or "taking liberties with the truth" > in Debian's statement. > >> Will Debian ever live up to its “Social Contract” that includes “Not hiding >> problems with the software or organization”? Will it apologize for >> misleading countless people? Given Debian’s response so far, I’m not >> very hopeful. > > I don't know. But I wonder if Max will apologize for misleading > their readers by focusing on bugs that only affect packages which aren't > even in Debian. Now that I read the press release paragraph and the reference to Pocock's "excommunication", I start wondering if Max, who never wrote on any Debian List before last month is yet another trollesque incarnation of the forementioned Pocock. -- PEB
