❦ 19 février 2018 20:36 +0200, Adrian Bunk <b...@debian.org> : >> Debian is not only about security support. We provide packages without >> security support. We also have backports that come without security >> support either. This is still better than installing random packages >> made by random people which may or may not integrate properly into >> Debian. > > The software might integrate properly into Debian - and allow everyone > on the internet to take control of your computer. > > On the server side we are talking about software like Node.js or gitlab. > > On the desktop side the MUA that comes with our default desktop renders > HTML emails using a web engine that is not security supported by Debian. > > An example what "no security support" means in practice: > > If you are running Debian stable and haven't yet installed the > LibreOffice security updates Debian published a few days ago, > then opening a document is sufficient to make LibreOffice silently > send your gpg and ssh private keys to whatever server the author > of that document wants - no dialog, no warnings, you won't notice. > > If Debian would provide LibreOffice without security support, > how many of our users would have been aware of this problem?
I don't know what's your point. You acknowledge we already ship not security supported software. We could put a large dialog box when installing/upgrading LibreOffice, like for other not security supported software. Or we could put those software in a special repository (called "unsupported"), a bit like backports that are not security supported either. Ubuntu does that since many years (everything in universe/multiverse is unsupported) and nobody cares. -- Use variable names that mean something. - The Elements of Programming Style (Kernighan & Plauger)
Description: PGP signature