Re: DSA 438 - bad server time, bad kernel version or information delayed?

To: Jan Lühr <jluehr@gmx.net>
Cc: debian-security@lists.debian.org
Subject: Re: DSA 438 - bad server time, bad kernel version or information delayed?
From: Otavio Salvador <otavio@debian.org>
Date: Wed, 18 Feb 2004 20:57:06 -0300
Message-id: <[🔎] 878yj0lz59.fsf@nurf.casa>
In-reply-to: <[🔎] 200402182236.35125.jluehr@gmx.net> (Jan Lühr's message of "Wed, 18 Feb 2004 22:36:35 +0100")
References: <m1AtTe6-000pqXC@finlandia.Infodrom.North.DE> <[🔎] 20040218201713.GA4715@deneb.enyo.de> <[🔎] 87lln0m8ny.fsf@nurf.casa> <[🔎] 200402182236.35125.jluehr@gmx.net>

Jan Lühr <jluehr@gmx.net> writes:

> Greetings,
>
> Am Mittwoch, 18. Februar 2004 21:31 schrieb Otavio Salvador:
>> Florian Weimer <fw@deneb.enyo.de> writes:
>> > Jan Lühr wrote:
>> >> Does this mean, that a well known exploit was kept back for nearly three
>> >> weeks, just because some odd vendors were unable to build there kernels
>> >> in time?
>> >
>> > Yes, this is the norm.  Debian hides security bugs from its users for
>> > extended periods of time.
>>
>> Yes but this have a reason. Before upload a fix this need be available
>> in all supported archs and tested since major or users install it
>> trusting Debian Security Team and 'cause of this, should not fail ;-)
>
> Well, of course you might have quite good reasons for doing so, but for me, 
> this is quite a good reason for changing the distri or os.
> Hiding unfixed holes is one thing (and I appreciate that partly) but hiding 
> already fixed packages is quite astonishing and you cannot tell me you need 
> more than two weeks to test a simple correction.

I doesn't do that. I'm only talk about a possibility.

> May I ask you what local / remote root exploit-fixes are you holding back 
> currently? Should I switch of my sshd for the next few days or does the 
> current bash have an unfixed local root exploit? 
> This is exactly the same policy M$ have - but the point is, you could at least 
> inform your users.
> An unknown local root exploit was one of the key parts in the debian server 
> compromise and we have all seen the consequences.
> Surely, you can see, that I want to keep this risk as small as possible on my 
> servers.

Of course, we should keep the risk small as possible but this include
in work with others distros to solve in major groups of archs in less
time possible to minimize the possibility of brekage.

[]s

-- 
        O T A V I O    S A L V A D O R
---------------------------------------------
 E-mail: otavio@debian.org      UIN: 5906116
 GNU/Linux User: 239058     GPG ID: 49A5F855
 Home Page: http://www.freedom.ind.br/otavio
---------------------------------------------

Reply to:

References:
- Re: DSA 438 - bad server time, bad kernel version or information delayed?
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: DSA 438 - bad server time, bad kernel version or information delayed?
  - From: Otavio Salvador <otavio@debian.org>
- Re: DSA 438 - bad server time, bad kernel version or information delayed?
  - From: Jan Lühr <jluehr@gmx.net>

Prev by Date: Re: DSA 438 - bad server time, bad kernel version or information delayed?
Next by Date: Re: Help! File permissions keep changing...
Previous by thread: Re: DSA 438 - bad server time, bad kernel version or information delayed?
Next by thread: Re: DSA 438 - bad server time, bad kernel version or information delayed?
Index(es):
- Date
- Thread