On Sat, 17 Jul 2004 [EMAIL PROTECTED] wrote: > Quote from debian’s security website: > > Debian takes security very seriously. Most security problems brought to > our attention are corrected within 48 hours. > > Debian has yet to release security patches for two major vulnerabilities > in php. > In fact they haven’t released an advisory of any kind in over two > weeks.
Um you mean exactly two weeks. DSAs 526 and 527 were posted on July 3. > I know that this is a community effort, but I don’t really > understand how that’s an excuse seeing that Gentoo released and updated > ebuild the next day. > Yeah but what is an ebuild? They just take whatever glop upstream serves up without much integration. In this case PHP was updated with a bug fix promptly. But if they (PHP) made a huge blunder which they missed at release time, gentoo would promptly update to that. Debian stables' value add is that the software in it maybe old but it is tried and tested. Security fixes are backported to known good versions and that takes time. Another reason for delays is that woody is so long in the tooth now that the current upstream versions of many programs are quite different from the ones there which makes backporting more time consuming. The answer is for us to hurry up and release sarge. > I love debian. I run debian stable on all of my production machines, > and the belief that security patches would be handed down to the > community promptly was a major factor in choosing it as our distribution > of choice. Nevertheless, if users continued to be frustrated by slow > response times to security issues and poor developer attitudes, ??? Did someone say haha we're not going to update php so nyah? God knows you can find instances of poor developer attitudes in Debian but I don't see how this is one. > debian > has no real advantage over any other distro. > The truth is sometimes the other distros get out advisories before we do and sometimes its the other way around. If you would care to review the stats, you'll see all the distros are pretty much even in the end. > Frustrated and vulnerable… > One of the main benefits of open source is freeing you from being the pawn of a vendor. Have you contacted the PHP maintainer (every .deb has the maintainers name on it.) to see what the holdup is and if there is an ETA? If you didn't get any satisfaction that way, you can get the source for the .deb, add the patch yourself, and repack it. Chances are someone on this list already done it. (personally the most PHP programmers write, I think the whole thing is a security hole.) My feeling (as an outsider) is that the security teams responses are going to continue to be a little slow for a bit but by the time sarge releases it will be back to its speedy self again. You've got to look at the long-term and Debians security record continues to be good. -- Jaldhar H. Vyas <[EMAIL PROTECTED]> La Salle Debain - http://www.braincells.com/debian/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
