On mi�, jul 26, 2000 at 05:41:37 -0500, Ricardo Adolfo Rodr�guez wrote: > lei esto en vivalinux.com.ar > > La verdad no estoy de acuerdo, pero como no soy un Duro Debianero..:(.. > pues no hablo muy fuerte... que opinan ustedes? > > Comparando Seguridad en Linux > Enviado por vivab0rg el 26-07-2000 @ 01:04 AM (le�do: 0 veces - hits: 0) > Para los m�s paranoicos de nuestros amigos y/o > sysadmin's, este art�culo en SecurityPortal les va a >[..]
Os reenv�o la respuesta de Joey Hess desarrolador Debian a los de SecurityPortal. La podeis ver en el fichero adjunto. -- Javier Vi�uales Guti�rrez <[EMAIL PROTECTED]> Webs: http://www.ctv.es/USERS/vigu Personal http://www.ctv.es/USERS/vigu/linux/ ViguLinux PGP public key: http://www.ctv.es/USERS/vigu/vigu.pubkey
In <http://www.securityportal.com/cover/coverstory20000724.html>, you state: > I have not fully covered Slackware and Debian, with their ridiculously > slow release schedules. I'm very disappointed on two levels: First that you provide such a comprehensive and useful report and yes omit one of the more popular linux distributions[6], and second that you have made such an erroneous assumption about Debian's release methodology. Your main mistake is that you have failed to realize that Debian releases timely security fixes, which are distributed to Debian users via the internet. Users can choose to configure their systems to receive these updates[1]. This makes release intervals orthogonal to whether users receive security fixes. Moreover, Debian has _frequent_ minor releases. These releases consist mostly of security fixes, and they serve to get the security fixes out to fresh Debian installs, plus to anyone who installs from CD and does not set up their system to receive security fixes via the net. You may have missed these releases, since in Debian, "2.1" is a new major release (with an implied "r1"), while "2.1r2" is the first minor release -- an unusual nomenclature compared to the other distributions. Interestingly, minor releases of Debian 2.1 have occurred more frequently than minor releases of Red Hat 6 (which, as you note, "shoves a new version out the door every 6 months like clockwork"). Debian Red Hat 2.1 8 days 2.1r2 167 days 2.1r3 6.0 104 days 161 days 2.1r4 6.1 117 days 175 days 2.1r5 6.2 [ Interestingly, a poster on slashdot has numbers[5] that show that the other distribution you left out (Slackware) also releases just as frequently as Red Hat. ] In light of these problems, I think it would be quite beneficial if you added Debian to your paper. Security announcement since 1998 are archived in both the archives of the debian-security-announce mailing list[3], and on http://security.debian.org/ (which also includes advisories from 1997). So, I dug up some numbers (I read the changelog pointed to by footnote 2, and counted security fixes. This is probably not as accurate as your numbers.) Release Security Alerts 2.1 1 2.1r2 16 2.1r3 19 2.1r4 5 2.1r5 Moving on to the second part of your paper, specific incidents and how quickly distributions responded, I've looked up some data on Debian's responses. Local root exploit in kernel <2.2.15, announced on June 8th. On June 12th, Debian announced[4] it had fixed the hole *before* the exploit was announced, and thus was not vulnerable. fdmount, announced May 22. Debian has never installed it suid, and thus has never been vulnerable (as you noted -- thanks). By the way, I think this section of your paper looked at too few holes to draw any real conclusions from. But Debian seems to have been near the head of the pack in this limited sampling. In closing, I'd like to point out that the current 1 and a half 5 year -- not 2 year as you continually state -- gap between Debian 2.1 and 2.2 is so far an exception, and not -- as you continually imply -- a rule. Major Debian releases: 1.1 6 months 1.2 7 months 1.3 12 months 2.0 8 months 2.1 (19 months?) 2.2 -- see shy jo, fond of lies, damn lies, and statistics [1] (For instructions to configure a Debian system to receive such fixes, see for example, http://security.debian.org/, in the 5th paragraph.) [2] This information from ftp://ftp.debian.org/debian/dists/stable/Debian2.1r5 [3] http://www.debian.org/Lists-Archives/debian-security-announce-98/threads.html http://www.debian.org/Lists-Archives/debian-security-announce-99/threads.html http://www.debian.org/Lists-Archives/debian-security-announce-00/threads.html [4] http://www.debian.org/security/2000/20000612 [5] http://slashdot.org/comments.pl?sid=00/07/25/1444233&cid=141 [6] I'm not going to argue this in detail, but just see how people reacted to your ommissions on slashdot. Debian has a rather large mindshare, though its market share is less quantifiable. http://slashdot.org/article.pl?sid=00/07/25/1444233&mode=nested -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
