Re: Debian security being trashed in Linux Today comments
Right. It should be A report published Fixed. Thanks Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
Peter Cordes wrote: Agreed, weighted mean (by severity of vulnerability and popularity of package) would be better, if suitable weighting could be devised. Separate graphs would be more useful to more people. (not everybody's weighting would be the same as the weighting that would take a year of debate to not be settled anyway...) One graph for remote exploits, one for local priviledge escalation, one for remote holes in Important (according to pkg system), etc. Make a graph for anything someone might be interested in. Or even generate them on the fly with input from a set of checkboxes for which package to include; if someone wanted to write the code, it wouldn't be hard. (assuming there's a good way to see which package falls into which category... Hmm, that's probably not so easy with the data that is kept now.) Anyway, the most useful thing would be multiple graphs according to a few interesting criteria. Any kind of policy we create should easily applied to other distro's in order to combat FUD like the comments that started this thread. I agree in seperatring graphs and stats into different categories such as remote and local vulnerabilities, and Required (as in packages that are on virtually all systems, ie glibc, at and friends, etc.) But, we wouldn't be distinguishing on a package basis, IMHO, since one package could be vulnerable to a remote exploit, and also have a privledge escalation vuln. As for weighting the severity of exploits, this would definately be something that would need to be tailored to the individual whom seeks such information. Maybe a selection of different package types (ie Mail servers, web servers, ftp servers, user utils, admin utils, network utils, development tools, base, etc..), then include in the report whether specific packages are still vuln to known exploits, or details on how fast specific packages where fixed after a vuln was announced. The details would help advise as to which packages appear to be more secure in a specific use, while statistics would show how well the distro responds to fixes for a specific genre of packages, which would in turn help an admin decide what distro would be best for the kind of server he/she is creating. Maybe a package specific report would be easier, and more accurate. Anyone wanna flame me, add to my thoughts, or compliment me? I guess as a side note, I shouldn't say we since I doubt I am really eligible to be a major contributer to such a project... Just my two cents, anyhow. -Will Wesley Great way to learn about mknod... box:~# rm -rf /dev box:~# man mknod _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Tue, Jan 15, 2002 at 02:34:47PM +, Colin Phipps wrote: On Tue, Jan 15, 2002 at 02:04:38PM +, Tim Haynes wrote: Colin Phipps [EMAIL PROTECTED] writes: It is not misleading in this case, the tail is the _most_ important part of the data. It doesn't matter if we patch every other hole in 10 minutes if we leave one open for months. Yes it does, if that remaining hole is merely a local non-root potential vulnerability with no known exploit that's a PITA to fix - you *must* weight the average accordingly. Agreed, weighted mean (by severity of vulnerability and popularity of package) would be better, if suitable weighting could be devised. Separate graphs would be more useful to more people. (not everybody's weighting would be the same as the weighting that would take a year of debate to not be settled anyway...) One graph for remote exploits, one for local priviledge escalation, one for remote holes in Important (according to pkg system), etc. Make a graph for anything someone might be interested in. Or even generate them on the fly with input from a set of checkboxes for which package to include; if someone wanted to write the code, it wouldn't be hard. (assuming there's a good way to see which package falls into which category... Hmm, that's probably not so easy with the data that is kept now.) Anyway, the most useful thing would be multiple graphs according to a few interesting criteria. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE
Re: Debian security being trashed in Linux Today comments
On Tuesday, 2002-01-15 at 13:07:12 +0100, Javier Fernández-Sanguino Peña wrote: On Tue, Jan 15, 2002 at 09:23:20AM +0100, Lupe Christoph wrote: I still think a table and graph would be a god addition to the security FAQ, as an answer to the question How long does Debian take to fix known vulnerabilities. Tne table could go in the FAQ, and the graph could be linked. (Dunno how the FAQ gets set up, but I guess there will be an ASCII-only version.) Already did it yesterday (except for th column with the data). See http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3 Thank you. But I can't parse An published in the debian-security mailinglist showed that in the year 2001, An email? Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm|
Re: Debian security being trashed in Linux Today comments
Right. It should be A report published Fixed. Thanks Javi
Re: Debian security being trashed in Linux Today comments
Peter Cordes wrote: Agreed, weighted mean (by severity of vulnerability and popularity of package) would be better, if suitable weighting could be devised. Separate graphs would be more useful to more people. (not everybody's weighting would be the same as the weighting that would take a year of debate to not be settled anyway...) One graph for remote exploits, one for local priviledge escalation, one for remote holes in Important (according to pkg system), etc. Make a graph for anything someone might be interested in. Or even generate them on the fly with input from a set of checkboxes for which package to include; if someone wanted to write the code, it wouldn't be hard. (assuming there's a good way to see which package falls into which category... Hmm, that's probably not so easy with the data that is kept now.) Anyway, the most useful thing would be multiple graphs according to a few interesting criteria. Any kind of policy we create should easily applied to other distro's in order to combat FUD like the comments that started this thread. I agree in seperatring graphs and stats into different categories such as remote and local vulnerabilities, and Required (as in packages that are on virtually all systems, ie glibc, at and friends, etc.) But, we wouldn't be distinguishing on a package basis, IMHO, since one package could be vulnerable to a remote exploit, and also have a privledge escalation vuln. As for weighting the severity of exploits, this would definately be something that would need to be tailored to the individual whom seeks such information. Maybe a selection of different package types (ie Mail servers, web servers, ftp servers, user utils, admin utils, network utils, development tools, base, etc..), then include in the report whether specific packages are still vuln to known exploits, or details on how fast specific packages where fixed after a vuln was announced. The details would help advise as to which packages appear to be more secure in a specific use, while statistics would show how well the distro responds to fixes for a specific genre of packages, which would in turn help an admin decide what distro would be best for the kind of server he/she is creating. Maybe a package specific report would be easier, and more accurate. Anyone wanna flame me, add to my thoughts, or compliment me? I guess as a side note, I shouldn't say we since I doubt I am really eligible to be a major contributer to such a project... Just my two cents, anyhow. -Will Wesley Great way to learn about mknod... box:~# rm -rf /dev box:~# man mknod _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Re: Debian security being trashed in Linux Today comments
On Monday, 2002-01-14 at 23:20:21 -0400, Peter Cordes wrote: On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote: I recompressed it as a real PNG, and attached it to this mail, for your viewing pleasure :) PNG gets 3.5 times better compression, probably because this image only uses 8 bits of colour, and the xwd was 24bit. I hadn't tried to view it when it first came around. As a graph, it is not very impressive. Hard to judge x and y for any point on the curve. This would probably be better done as a histogram. Someone else mentioned that this graph should go up on a website, but someone else shot them down. I think the suggestion was just for this image in particular, not that this should be done for every image-attachment on all lists. Anyway, I agree that it would be cool to have this graph and the data available on a web site. (With the data in a two-column ascii list, rather than a spreadsheet or something that needs to be downloaded and dealt with separately.) Of course, then we might need to make up excuses, or preferably find solutions, for the exceptionally long bugs. I still think a table and graph would be a god addition to the security FAQ, as an answer to the question How long does Debian take to fix known vulnerabilities. Tne table could go in the FAQ, and the graph could be linked. (Dunno how the FAQ gets set up, but I guess there will be an ASCII-only version.) I believe the most useful format would be linear for the number of bugs fixed, and log for the time. Like this Time (days) No of fixes 1 ? 2-3 ? 4-7 ? 8-15? 16-31 ? etc. I'd be *really* interested in seeing that kind of table for more OSes. Not only Linux distributions, but also Solaris, *BSD, and Windowses. My gut feeling is that Debian would shine in such a comparison. Initially, I came to Debian because I had the feeling that it was the Linux dustribution with the fastest reaction to the discovery of vulnerabilities. Judging from BUGTRAQ. Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Tue, 2002-01-15 at 09:44, Florian Weimer wrote: Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Of course, libc problems are a bit unfair for comparison. Red Hat runs the official CVS repository, and they probably knew about the problem by mid-November or something like that (the fix was committed on 2001-11-29, IIRC). I've just found that some anonymous poster promoted the Linux Today comments on Debian Planet: http://www.debianplanet.org//article.php?sid=568 At this rate Slashdot isn't far off ;-) Regards, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 09:53:15AM -0500, Noah L. Meyerhans wrote: On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote: So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. That is the case in unstable and testing, but not stable. You seem to be implying I was talking about woody or sid yet the bug in the BTS says potato. That is why you're encouraged to run stable on any machine connected to the internet. In its case, there is a group within Debian who is responsible for providing security updates in a timely manner with or without assistance from the package maintainer. I should probably have emailed security-team instead of security when I found the bug. Ho hum. -- --( Lefinnois[away] huggie: dans ton troupeau de )-- Simon ( clef public c'est la quelle la bonne ? ) Nomis Htag.pl 0.0.19 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Tue, Jan 15, 2002 at 09:23:20AM +0100, Lupe Christoph wrote: On Monday, 2002-01-14 at 23:20:21 -0400, Peter Cordes wrote: On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote: I recompressed it as a real PNG, and attached it to this mail, for your viewing pleasure :) PNG gets 3.5 times better compression, probably because this image only uses 8 bits of colour, and the xwd was 24bit. I hadn't tried to view it when it first came around. As a graph, it is not very impressive. Hard to judge x and y for any point on the curve. This would probably be better done as a histogram. Well. Take in account it was done somewhat in a hurry... IIRC x = number of days taken to fix bug y = number of bugs fixed Someone else mentioned that this graph should go up on a website, but someone else shot them down. I think the suggestion was just for this image I did not shot him down just said I did not think it would be possible. Problem is, debiandoc-sgml has no support for inline images. I still think a table and graph would be a god addition to the security FAQ, as an answer to the question How long does Debian take to fix known vulnerabilities. Tne table could go in the FAQ, and the graph could be linked. (Dunno how the FAQ gets set up, but I guess there will be an ASCII-only version.) Already did it yesterday (except for th column with the data). See http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3 Regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Wed, 2002-01-16 at 01:07, Javier Fernández-Sanguino Peña wrote: Already did it yesterday (except for th column with the data). See http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3 Please consider removing any reference to the average amount of time in the FAQ: ...it took the Debian Security Team an average of 35 days to fix security-related vulnerabilites. An average based upon a very long tail is highly misleading. Please quote the median time to fix a vulnerability instead. This will will be less than or equal to 10 days given this statistic: over 50% of the vulnerabilities where fixed in a 10-days time Because of this research it looks like Debian's security information page will have to be changed: http://www.debian.org/security/ Debian takes security very seriously. Most security problems brought to our attention are corrected within 48 hours. That's just not an honest description of what's occurred. It appears from the research that most (i.e. 50%) of security problems are corrected within 10 days, not 48 hours. I still need to be able to download that spreadsheet. I have viewed the PNG picture. Regards, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
faster -- Re: Debian security being trashed in Linux Today comments
hi ya i did an dist-upgrade update upgrade today... and saw sudo get update before fixes to sudo was posted to bugtraq c ya alvin On 15 Jan 2002, Adam Warner wrote: On Tue, 2002-01-15 at 09:44, Florian Weimer wrote: Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Of course, libc problems are a bit unfair for comparison. Red Hat runs the official CVS repository, and they probably knew about the problem by mid-November or something like that (the fix was committed on 2001-11-29, IIRC). I've just found that some anonymous poster promoted the Linux Today comments on Debian Planet: http://www.debianplanet.org//article.php?sid=568 At this rate Slashdot isn't far off ;-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: faster -- Re: Debian security being trashed in Linux Today comments
Previously Alvin Oga wrote: i did an dist-upgrade update upgrade today... and saw sudo get update before fixes to sudo was posted to bugtraq Actually it was posted to bugtraq about 15 minutes before but you only saw it later due to moderation :) Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote: ...it took the Debian Security Team an average of 35 days to fix security-related vulnerabilites. An average based upon a very long tail is highly misleading. Please quote the median time to fix a vulnerability instead. It is not misleading in this case, the tail is the _most_ important part of the data. It doesn't matter if we patch every other hole in 10 minutes if we leave one open for months. Furthermore I think the mean is exactly the right measure of this: from the user point of view, the important figure is total exposure time, i.e. sum of time between vulnerability discovery and patch (for installed packages) for all vulns. For someone who installs every Debian package, this is equal to (# of vulnerabilities)x(mean time to patch). The former measures how well packages are audited in advance, the latter measures how quickly vulnerabilities are corrected. It's the right statistic. -- Colin Phipps PGP 0x689E463E http://www.netcraft.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
Previously Colin Phipps wrote: It is not misleading in this case, the tail is the _most_ important part of the data. It doesn't matter if we patch every other hole in 10 minutes if we leave one open for months. Both are interesting though. Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
Colin Phipps [EMAIL PROTECTED] writes: On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote: ...it took the Debian Security Team an average of 35 days to fix security-related vulnerabilites. An average based upon a very long tail is highly misleading. Please quote the median time to fix a vulnerability instead. It is not misleading in this case, the tail is the _most_ important part of the data. It doesn't matter if we patch every other hole in 10 minutes if we leave one open for months. Yes it does, if that remaining hole is merely a local non-root potential vulnerability with no known exploit that's a PITA to fix - you *must* weight the average accordingly. Much as I hate stats, I can see that what you want to measure is how much lethargy there is in Debian, which means excluding other influences, and instead of wondering about means modes and medians, you've got to weight the whole thing. Bah, complicated. ~Tim -- http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Tue, Jan 15, 2002 at 01:52:47PM +, Colin Phipps wrote: [...] Furthermore I think the mean is exactly the right measure of this: from the user point of view, the important figure is total exposure time, i.e. sum of time between vulnerability discovery and patch (for installed packages) for all vulns. For someone who installs every Debian package, this is equal to (# of vulnerabilities)x(mean time to patch). The former measures how well packages are audited in advance, the latter measures how quickly vulnerabilities are corrected. It's the right statistic. Are there any stats available on the number of people who have each package installed? (I think not, but better ask). If such stats were available, then security flaws in popular packages could be weighted higher than flaws in the not-so-popular packages. tangentSuch numbers may also be useful for guestimating the impact of non-security related bugs... I feel a debian package coming along... (mutters as he walk off into the sunset)/tangent -- Colin Phipps PGP 0x689E463E http://www.netcraft.com/ -- Karl E. Jørgensen [EMAIL PROTECTED] www.karl.jorgensen.com One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh msg05289/pgp0.pgp Description: PGP signature
Re: Debian security being trashed in Linux Today comments
On Tue, Jan 15, 2002 at 02:04:38PM +, Tim Haynes wrote: Colin Phipps [EMAIL PROTECTED] writes: It is not misleading in this case, the tail is the _most_ important part of the data. It doesn't matter if we patch every other hole in 10 minutes if we leave one open for months. Yes it does, if that remaining hole is merely a local non-root potential vulnerability with no known exploit that's a PITA to fix - you *must* weight the average accordingly. Agreed, weighted mean (by severity of vulnerability and popularity of package) would be better, if suitable weighting could be devised. On Tue, Jan 15, 2002 at 01:55:18PM +, Karl E. Jorgensen wrote: Are there any stats available on the number of people who have each package installed? Relative popularity of packages can be got from the popularity-contest results (although this will tend to reflect workstations more than servers, since people running a secure server aren't likely to run something that sends their package list to anyone). http://people.debian.org/~apenwarr//popcon/ -- Colin Phipps PGP 0x689E463E http://www.netcraft.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Tue, Jan 15, 2002 at 02:34:47PM +, Colin Phipps wrote: On Tue, Jan 15, 2002 at 02:04:38PM +, Tim Haynes wrote: Colin Phipps [EMAIL PROTECTED] writes: It is not misleading in this case, the tail is the _most_ important part of the data. It doesn't matter if we patch every other hole in 10 minutes if we leave one open for months. Yes it does, if that remaining hole is merely a local non-root potential vulnerability with no known exploit that's a PITA to fix - you *must* weight the average accordingly. Agreed, weighted mean (by severity of vulnerability and popularity of package) would be better, if suitable weighting could be devised. Separate graphs would be more useful to more people. (not everybody's weighting would be the same as the weighting that would take a year of debate to not be settled anyway...) One graph for remote exploits, one for local priviledge escalation, one for remote holes in Important (according to pkg system), etc. Make a graph for anything someone might be interested in. Or even generate them on the fly with input from a set of checkboxes for which package to include; if someone wanted to write the code, it wouldn't be hard. (assuming there's a good way to see which package falls into which category... Hmm, that's probably not so easy with the data that is kept now.) Anyway, the most useful thing would be multiple graphs according to a few interesting criteria. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Tuesday, 2002-01-15 at 13:07:12 +0100, Javier Fernández-Sanguino Peña wrote: On Tue, Jan 15, 2002 at 09:23:20AM +0100, Lupe Christoph wrote: I still think a table and graph would be a god addition to the security FAQ, as an answer to the question How long does Debian take to fix known vulnerabilities. Tne table could go in the FAQ, and the graph could be linked. (Dunno how the FAQ gets set up, but I guess there will be an ASCII-only version.) Already did it yesterday (except for th column with the data). See http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3 Thank you. But I can't parse An published in the debian-security mailinglist showed that in the year 2001, An email? Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Monday, 2002-01-14 at 23:20:21 -0400, Peter Cordes wrote: On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote: I recompressed it as a real PNG, and attached it to this mail, for your viewing pleasure :) PNG gets 3.5 times better compression, probably because this image only uses 8 bits of colour, and the xwd was 24bit. I hadn't tried to view it when it first came around. As a graph, it is not very impressive. Hard to judge x and y for any point on the curve. This would probably be better done as a histogram. Someone else mentioned that this graph should go up on a website, but someone else shot them down. I think the suggestion was just for this image in particular, not that this should be done for every image-attachment on all lists. Anyway, I agree that it would be cool to have this graph and the data available on a web site. (With the data in a two-column ascii list, rather than a spreadsheet or something that needs to be downloaded and dealt with separately.) Of course, then we might need to make up excuses, or preferably find solutions, for the exceptionally long bugs. I still think a table and graph would be a god addition to the security FAQ, as an answer to the question How long does Debian take to fix known vulnerabilities. Tne table could go in the FAQ, and the graph could be linked. (Dunno how the FAQ gets set up, but I guess there will be an ASCII-only version.) I believe the most useful format would be linear for the number of bugs fixed, and log for the time. Like this Time (days) No of fixes 1 ? 2-3 ? 4-7 ? 8-15? 16-31 ? etc. I'd be *really* interested in seeing that kind of table for more OSes. Not only Linux distributions, but also Solaris, *BSD, and Windowses. My gut feeling is that Debian would shine in such a comparison. Initially, I came to Debian because I had the feeling that it was the Linux dustribution with the fastest reaction to the discovery of vulnerabilities. Judging from BUGTRAQ. Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm|
Re: Debian security being trashed in Linux Today comments
On Tue, 2002-01-15 at 09:44, Florian Weimer wrote: Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Of course, libc problems are a bit unfair for comparison. Red Hat runs the official CVS repository, and they probably knew about the problem by mid-November or something like that (the fix was committed on 2001-11-29, IIRC). I've just found that some anonymous poster promoted the Linux Today comments on Debian Planet: http://www.debianplanet.org//article.php?sid=568 At this rate Slashdot isn't far off ;-) Regards, Adam
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 09:53:15AM -0500, Noah L. Meyerhans wrote: On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote: So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. That is the case in unstable and testing, but not stable. You seem to be implying I was talking about woody or sid yet the bug in the BTS says potato. That is why you're encouraged to run stable on any machine connected to the internet. In its case, there is a group within Debian who is responsible for providing security updates in a timely manner with or without assistance from the package maintainer. I should probably have emailed security-team instead of security when I found the bug. Ho hum. -- --( Lefinnois[away] huggie: dans ton troupeau de )-- Simon ( clef public c'est la quelle la bonne ? ) Nomis Htag.pl 0.0.19
Re: Debian security being trashed in Linux Today comments
On Tue, Jan 15, 2002 at 09:23:20AM +0100, Lupe Christoph wrote: On Monday, 2002-01-14 at 23:20:21 -0400, Peter Cordes wrote: On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote: I recompressed it as a real PNG, and attached it to this mail, for your viewing pleasure :) PNG gets 3.5 times better compression, probably because this image only uses 8 bits of colour, and the xwd was 24bit. I hadn't tried to view it when it first came around. As a graph, it is not very impressive. Hard to judge x and y for any point on the curve. This would probably be better done as a histogram. Well. Take in account it was done somewhat in a hurry... IIRC x = number of days taken to fix bug y = number of bugs fixed Someone else mentioned that this graph should go up on a website, but someone else shot them down. I think the suggestion was just for this image I did not shot him down just said I did not think it would be possible. Problem is, debiandoc-sgml has no support for inline images. I still think a table and graph would be a god addition to the security FAQ, as an answer to the question How long does Debian take to fix known vulnerabilities. Tne table could go in the FAQ, and the graph could be linked. (Dunno how the FAQ gets set up, but I guess there will be an ASCII-only version.) Already did it yesterday (except for th column with the data). See http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3 Regards Javi
Re: Debian security being trashed in Linux Today comments
On Wed, 2002-01-16 at 01:07, Javier Fernández-Sanguino Peña wrote: Already did it yesterday (except for th column with the data). See http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3 Please consider removing any reference to the average amount of time in the FAQ: ...it took the Debian Security Team an average of 35 days to fix security-related vulnerabilites. An average based upon a very long tail is highly misleading. Please quote the median time to fix a vulnerability instead. This will will be less than or equal to 10 days given this statistic: over 50% of the vulnerabilities where fixed in a 10-days time Because of this research it looks like Debian's security information page will have to be changed: http://www.debian.org/security/ Debian takes security very seriously. Most security problems brought to our attention are corrected within 48 hours. That's just not an honest description of what's occurred. It appears from the research that most (i.e. 50%) of security problems are corrected within 10 days, not 48 hours. I still need to be able to download that spreadsheet. I have viewed the PNG picture. Regards, Adam
Re: faster -- Re: Debian security being trashed in Linux Today comments
Previously Alvin Oga wrote: i did an dist-upgrade update upgrade today... and saw sudo get update before fixes to sudo was posted to bugtraq Actually it was posted to bugtraq about 15 minutes before but you only saw it later due to moderation :) Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: faster -- Re: Debian security being trashed in Linux Today comments
hi ya wichert true... i probably should have been clearer... that i'm on the way end of the bugtraq list... keep up the good work all ... have fun alvin http://www.Linux-Sec.net ... hardening howtos ... On Tue, 15 Jan 2002, Wichert Akkerman wrote: Previously Alvin Oga wrote: i did an dist-upgrade update upgrade today... and saw sudo get update before fixes to sudo was posted to bugtraq Actually it was posted to bugtraq about 15 minutes before but you only saw it later due to moderation :)
Re: Debian security being trashed in Linux Today comments
On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote: ...it took the Debian Security Team an average of 35 days to fix security-related vulnerabilites. An average based upon a very long tail is highly misleading. Please quote the median time to fix a vulnerability instead. It is not misleading in this case, the tail is the _most_ important part of the data. It doesn't matter if we patch every other hole in 10 minutes if we leave one open for months. Furthermore I think the mean is exactly the right measure of this: from the user point of view, the important figure is total exposure time, i.e. sum of time between vulnerability discovery and patch (for installed packages) for all vulns. For someone who installs every Debian package, this is equal to (# of vulnerabilities)x(mean time to patch). The former measures how well packages are audited in advance, the latter measures how quickly vulnerabilities are corrected. It's the right statistic. -- Colin Phipps PGP 0x689E463E http://www.netcraft.com/
Re: Debian security being trashed in Linux Today comments
Previously Colin Phipps wrote: It is not misleading in this case, the tail is the _most_ important part of the data. It doesn't matter if we patch every other hole in 10 minutes if we leave one open for months. Both are interesting though. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: Debian security being trashed in Linux Today comments
Colin Phipps [EMAIL PROTECTED] writes: On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote: ...it took the Debian Security Team an average of 35 days to fix security-related vulnerabilites. An average based upon a very long tail is highly misleading. Please quote the median time to fix a vulnerability instead. It is not misleading in this case, the tail is the _most_ important part of the data. It doesn't matter if we patch every other hole in 10 minutes if we leave one open for months. Yes it does, if that remaining hole is merely a local non-root potential vulnerability with no known exploit that's a PITA to fix - you *must* weight the average accordingly. Much as I hate stats, I can see that what you want to measure is how much lethargy there is in Debian, which means excluding other influences, and instead of wondering about means modes and medians, you've got to weight the whole thing. Bah, complicated. ~Tim -- http://spodzone.org.uk/
Re: Debian security being trashed in Linux Today comments
Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. http://www.debian.org/security/ is over there --- . ~Tim -- http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Wichert. -- _ [EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
Adam Warner wrote: On Tue, 2002-01-15 at 01:05, Tim Haynes wrote: Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. But I was really impressed that updates for unstable/testing were released at the same time. For those of us that use/test the bleeding edge on our systems it's a great reassurance to see the security team giving consideration to the security of testing/unstable. Well, maybe you should follow Tim's advice and go check the security team's FAQ : Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. Of course, if you're using unstable, fixes tend to appear quickly, but : - tend to is not acceptable when security is concerned - it may take a lot more time depending on your local mirror -- Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 12:05:34PM +, Tim Haynes wrote: Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. http://www.debian.org/security/ is over there --- . Indeed. My only experience with trying to get an exploitable package patched was rather disappointing though. I believe (not being a Debian developer myself) that [EMAIL PROTECTED] goes to debian-private which is only available to developers. It then requires the developer of the package you're reporting about to be awake enough to /do/ something about the bug you are reporting. I had problems with apache whose old maintainer didn't really seem to care (bug 104187 for the gory details) So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. -- --( Have you seen a man who's lost his luggage? )-- Simon ( -- Suitcase) Nomis Htag.pl 0.0.19 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote: Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Thanks' I was about to say so... BTW pointer is: http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html I'm going to add this to the info available in the Debian Security Manual seems to be a FAQ Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote: So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. That is the case in unstable and testing, but not stable. That is why you're encouraged to run stable on any machine connected to the internet. In its case, there is a group within Debian who is responsible for providing security updates in a timely manner with or without assistance from the package maintainer. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg05231/pgp0.pgp Description: PGP signature
Re: Debian security being trashed in Linux Today comments
Noah L. Meyerhans [EMAIL PROTECTED] writes: On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote: So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. That is the case in unstable and testing, but not stable. That is why you're encouraged to run stable on any machine connected to the internet. In its case, there is a group within Debian who is responsible for providing security updates in a timely manner with or without assistance from the package maintainer. Agreed. You have to decide for the situation at hand; as it happens, my favourite colo swerver runs Testing, on the grounds that one of these days, Stable will change en-masse and the last thing I want is for ssh not to restart in my daily dist-upgrades of nearly every package on the box - the machine came home for a bit of TLC one time and got put onto Testing so the daily dist-upgrade only does a few packages rather than the whole lot. In the meantime, security patches (notably only _mutt_ anyway) can come down from Unstable. Cheers, ~Tim -- http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña wrote: On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote: Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Thanks' I was about to say so... BTW pointer is: http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html I'm going to add this to the info available in the Debian Security Manual seems to be a FAQ I hope you provide a cleaned-up version. .../msg00257.html is full of binary crap. And the link .../bin0.bin could be stored as the PNG file it is supposed to be. The way it is now, I get a MIME-type of application/octet-stream, which Mozilla won't display. Maybe you can put the text, the spreadsheet, and the graph on a website? Archive maintainers, what happens to attachments like those in the mentioned mail? I don't keep debian-security mails around, so I can't see what MIME-type the attachments had. The binary crap must be the spreadsheet which has been inlined. Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm| -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 06:16:46PM +0100, Lupe Christoph wrote: I hope you provide a cleaned-up version. .../msg00257.html is full of binary crap. And the link .../bin0.bin could be stored as the PNG file it is supposed to be. The way it is now, I get a MIME-type of application/octet-stream, which Mozilla won't display. Maybe you can put the text, the spreadsheet, and the graph on a website? Ummm not likely. Archive maintainers, what happens to attachments like those in the mentioned mail? I don't keep debian-security mails around, so I can't see what MIME-type the attachments had. The binary crap must be the spreadsheet which has been inlined. As I said, attachments are not parsed correctly by the archiving software. And no, the spreadsheet should have been sent as a MIME attachment (used mutt). Regards Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Debian security being trashed in Linux Today comments
It renders fine in IE. :) The binary data is, I presume, the two files that Javier attached, as stated in the message: quote I adjoint some data: - a Gnumeric spreadsheet with all the information - a PNG graphic with this year's distribution of time-to-fix (in days) made by gnuplot with the previous data /quote j. -- Jeremy L. Gaddis [EMAIL PROTECTED] -Original Message- From: Lupe Christoph [mailto:[EMAIL PROTECTED]] Sent: Monday, January 14, 2002 12:17 PM To: Javier Fernández-Sanguino Peña Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Debian security being trashed in Linux Today comments On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña wrote: On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote: Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Thanks' I was about to say so... BTW pointer is: http://lists.debian.org/debian-security/2001/debian-security-200112/msg0 0257.html I'm going to add this to the info available in the Debian Security Manual seems to be a FAQ I hope you provide a cleaned-up version. .../msg00257.html is full of binary crap. And the link .../bin0.bin could be stored as the PNG file it is supposed to be. The way it is now, I get a MIME-type of application/octet-stream, which Mozilla won't display. Maybe you can put the text, the spreadsheet, and the graph on a website? Archive maintainers, what happens to attachments like those in the mentioned mail? I don't keep debian-security mails around, so I can't see what MIME-type the attachments had. The binary crap must be the spreadsheet which has been inlined. Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, 14 Jan 2002, Daniel Polombo wrote: Adam Warner wrote: Well, maybe you should follow Tim's advice and go check the security team's FAQ : Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. Of course, if you're using unstable, fixes tend to appear quickly, but : - tend to is not acceptable when security is concerned - it may take a lot more time depending on your local mirror As woody draws closer and closer to being stable, and potato draws closer and closer to the legendary dinosaurs which roamed the earth with regards to its outdated software, perhaps this comittment to woody's security could be revisted. I would be surprised if a lot of the criticsm that is coming out on this issue is not related to the fact that a lot of people have moved from potato to woody because they cannot continue to use potato due to the requirements of certain software or underlying libraries, and are thus burned by this security policy. Lets face it, potato has some ancient software that is getting outdated, you can hardly find any software that uses db2 anymore, and it is not trivial to backport from db3, the version of perl makes usage and installation of anything that was done in the last 5 years difficult... potato is great, if you want to only use the packages which come with it, it is great as a server which doesn't need any changes, but if you want to do anything semi-new, or outside of the package scope, you have to move to woody, or just wait. With that movement comes a significant loss in security policy. Now that woody draws near to being stable, perhaps the policy can be altered to accomodate for that. Micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
Okay, this has gone far enough. The reason that s.d.o only deals with
stable is that stable is the only part of Debian that by it's nature
cannot change. For unstable (and now testing) if there's a security bug,
any DD can put up a NMU if it's severe enough, or the regular maintainer
can fix it in a [relatively] short amount of time. It's just not feasable
to expect a change to propagate in stable, because stable doesn't change
at all, except in very small spurts: there have been 5 revisions to
potato in the last [going on 2] years. THIS is the reason that there's no
s.d.o support for testing and unstable. So when woody becomes stable,
there WILL be s.d.o support for woody, because woody won't change. Unitl
they become [stagnant,stable], there is just not enough reason to have
s.d.o support for a distribution.
On Mon, 14 Jan 2002, Micah Anderson wrote:
On Mon, 14 Jan 2002, Daniel Polombo wrote:
Adam Warner wrote:
Well, maybe you should follow Tim's advice and go check the security team's
FAQ :
Q: How is security handled for testing and unstable?
A: The short answer is: it's not. Testing and unstable are rapidly moving
targets and the security team does not have the resources needed to
properly support those. If you want to have a secure (and stable)
server you are strongly encouraged to stay with stable.
Of course, if you're using unstable, fixes tend to appear quickly, but :
- tend to is not acceptable when security is concerned
- it may take a lot more time depending on your local mirror
As woody draws closer and closer to being stable, and potato draws
closer and closer to the legendary dinosaurs which roamed the earth
with regards to its outdated software, perhaps this comittment to
woody's security could be revisted. I would be surprised if a lot of
the criticsm that is coming out on this issue is not related to the
fact that a lot of people have moved from potato to woody because they
cannot continue to use potato due to the requirements of certain
software or underlying libraries, and are thus burned by this security
policy.
Lets face it, potato has some ancient software that is getting
outdated, you can hardly find any software that uses db2 anymore, and
it is not trivial to backport from db3, the version of perl makes
usage and installation of anything that was done in the last 5 years
difficult... potato is great, if you want to only use the packages
which come with it, it is great as a server which doesn't need any
changes, but if you want to do anything semi-new, or outside of the
package scope, you have to move to woody, or just wait. With that
movement comes a significant loss in security policy.
Now that woody draws near to being stable, perhaps the policy can be
altered to accomodate for that.
Micah
--
void hamlet()
{#define question=((bb)||(!bb))}
Who is John Galt? [EMAIL PROTECTED] that's who!
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Of course, libc problems are a bit unfair for comparison. Red Hat runs the official CVS repository, and they probably knew about the problem by mid-November or something like that (the fix was committed on 2001-11-29, IIRC). -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 07:19:29PM +0100, Javier Fernández-Sanguino Peña wrote: I hope you provide a cleaned-up version. .../msg00257.html is full of binary crap. And the link .../bin0.bin could be stored as the PNG file it is supposed to be. The way it is now, I get a MIME-type of application/octet-stream, which Mozilla won't display. As I said, attachments are not parsed correctly by the archiving software. And no, the spreadsheet should have been sent as a MIME attachment (used mutt). Does anyone know if we can tweak mhonarc to handle this more gracefully? -- 2. That which causes joy or happiness. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Tue, 2002-01-15 at 01:41, Daniel Polombo wrote: Adam Warner wrote: On Tue, 2002-01-15 at 01:05, Tim Haynes wrote: Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. But I was really impressed that updates for unstable/testing were released at the same time. For those of us that use/test the bleeding edge on our systems it's a great reassurance to see the security team giving consideration to the security of testing/unstable. Well, maybe you should follow Tim's advice and go check the security team's FAQ : Weren't my comments enough for you to to be able to interpret WHY I said I was really impressed? I have known and understood the security FAQ for a long time Daniel. Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. http://www.debian.org/security/2002/dsa-097 This problem has been fixed in Exim version 3.12-10.2 for the stable distribution Debian GNU/Linux 2.2 and 3.33-1.1 for the testing and unstable distribution. Oops the security team breached their FAQ :-) Of course, if you're using unstable, fixes tend to appear quickly, but : - tend to is not acceptable when security is concerned - it may take a lot more time depending on your local mirror Which is why I uncommented the main distribution sites in sources.list and got the updates for testing/unstable right away. That's why I was impressed. Because I am aware of the FAQ. Still I hope such care about the security of testing/unstable continues and note the comments of John Galt. I have noticed many instances where unstable has been secure when stable has not (before an update). Bugs that are found in Potato are not always relevant to the quick moving new binaries and code in unstable. I feel happy about the security of my unstable systems and am not aware of any vulnerabilities that I have read about at Linux Weekly News that presently affect my installations. I have had to keep up with a few fixes to Zope in the past but there was a huge Python transition being undertaken at the time. Regards, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote: It renders fine in IE. :) Yeah, but it has the binary crap at the end. It renders like that in moz too. (both running on the family 'doze PC while I type this mail through PuTTY.) The binary data is, I presume, the two files that Javier attached, as stated in the message: quote I adjoint some data: - a Gnumeric spreadsheet with all the information - a PNG graphic with this year's distribution of time-to-fix (in days) made by gnuplot with the previous data /quote The binary crap is probably the spreadsheet by itself, but maybe the image too. The download link for bin0.bin is the image. It is not PNG, but rather a gzipped xwd. I don't know why it's .bin instead of .xwd.gz. I recompressed it as a real PNG, and attached it to this mail, for your viewing pleasure :) PNG gets 3.5 times better compression, probably because this image only uses 8 bits of colour, and the xwd was 24bit. Someone else mentioned that this graph should go up on a website, but someone else shot them down. I think the suggestion was just for this image in particular, not that this should be done for every image-attachment on all lists. Anyway, I agree that it would be cool to have this graph and the data available on a web site. (With the data in a two-column ascii list, rather than a spreadsheet or something that needs to be downloaded and dealt with separately.) Of course, then we might need to make up excuses, or preferably find solutions, for the exceptionally long bugs. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE fix-time.png Description: PNG image
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 12:17:15PM -0700, John Galt wrote: Okay, this has gone far enough. The reason that s.d.o only deals with stable is that stable is the only part of Debian that by it's nature cannot change. For unstable (and now testing) if there's a security bug, any DD can put up a NMU if it's severe enough, or the regular maintainer can fix it in a [relatively] short amount of time. It's just not feasable to expect a change to propagate in stable, because stable doesn't change at all, except in very small spurts: there have been 5 revisions to potato in the last [going on 2] years. THIS is the reason that there's no s.d.o support for testing and unstable. So when woody becomes stable, there WILL be s.d.o support for woody, because woody won't change. Unitl they become [stagnant,stable], there is just not enough reason to have s.d.o support for a distribution. I think this was well known already, but now that we're sure everyone knows this, I think Micah's idea is interesting. When things are a long way from a freeze/release, you're right, John, it's ok to let security be handled in the current haphazard way it does now. However, how is the testing release (currently woody) going to get any testing if nobody uses it because it's security isn't good enough? Some say you should never run unstable or testing on a machine connected to the internet, but almost all computers are connected to the Internet, at least as clients. This especially applies to the home computers of the average hacker, which is the kind of person who would usefully test and provide feedback on woody. A home system is somewhere I would use a system that wasn't guaranteed to be secure, and where I might have to shut down daemons if no security fix was available for a problem that affected them. (of course I want my machine to be secure, but I can live without guarantees and check on things myself.) I actually use woody on my home NAT firewall, which also runs exim and sshd. (These are the only daemons allowing connections from the outside world on this machine.) Hmm, if a security problem which affects unstable and/or testing, but not stable, is found, what happens? I presume it would get mentioned here, but is a DSA sent out when it's fixed? Would I have to read Bugtraq or something to get notification as soon as it's found (so I could shut down an insecure daemon until the problem was fixed.) I'd rather temporarily give up the ability to ssh into my home machine and check my email than leave it open to attack. On Mon, 14 Jan 2002, Micah Anderson wrote: As woody draws closer and closer to being stable, and potato draws closer and closer to the legendary dinosaurs which roamed the earth with regards to its outdated software, perhaps this comittment to woody's security could be revisted. I would be surprised if a lot of the criticsm that is coming out on this issue is not related to the fact that a lot of people have moved from potato to woody because they cannot continue to use potato due to the requirements of certain software or underlying libraries, and are thus burned by this security policy. [...] Now that woody draws near to being stable, perhaps the policy can be altered to accomodate for that. I agree. To get testing better tested (by providing the service more people need to run it), and to get the security team familiar with the soon-to-be-stable release, there could be a mechanism for security fixes to get done on woody, etc. I don't know what kind of security promises would be appropriate, or what, but I think it would be a good idea to do something along these lines. Maybe someone should make a list of packages that the security team would take time to deal with in woody, and add packages to it over time. Starting with popular packages and/or packages classified as required/important might make sense. Here's another idea: Only worry about remote exploits for non-stable dists. Many of the security advisories apply to local security only, and don't let a remote attacker get into the machine in the first place. (Many of them would help an attacker get root after getting a shell running as e.g. nobody or http). Only worrying about remote exploits in soon-to-be-released dists would let a lot more people run them safely, since a lot of home systems are single user, or at least the other users are trusted/not skilled. (Think family members and roommates. If they crack your system, you can put glue on their doorknob or a snowball in their boots :) For important servers where you really care, like in a business environment, you would certainly want to stick with stable, so no new holes will be introduced, nothing breaks, etc. For systems where you are prepared to live with a little danger, you can run testing and give stuff a workout. When there are known local exploits that haven't been fixed in the dist you're running, it's like running your daemons
Re: Debian security being trashed in Linux Today comments
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter Cordes [EMAIL PROTECTED] writes: [...] To get testing better tested (by providing the service more people need to run it), and to get the security team familiar with the soon-to-be-stable release, there could be a mechanism for security fixes to get done on woody, etc. I don't know what kind of security promises would be appropriate, or what, but I think it would be a good idea to do something along these lines. Maybe someone should make a list of packages that the security team would take time to deal with in woody, and add packages to it over time. Starting with popular packages and/or packages classified as required/important might make sense. Currently, testing is getting frozen in steps as far as I understand the process. What about providing proper security updates for those parts that have already been frozen? These would have be dealt with in a special way to get upgraded anyway so you might as well provide the upgrade as a proper security update. This could also serve as a handle for the folks who are coordinating the release process. - -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.6 http://mailcrypt.sourceforge.net/ iD8DBQE8Q7YAFsfyfWvjfZARAn2mAKCh20XSbZlJ+wjtiOJP/zGv8z3yTwCgxOlw S0PF5uSNo7KeuY9ONzBCYl8= =FSYR -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. http://www.debian.org/security/ is over there --- . ~Tim -- http://spodzone.org.uk/
Re: Debian security being trashed in Linux Today comments
Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: Debian security being trashed in Linux Today comments
On Tue, 2002-01-15 at 01:05, Tim Haynes wrote: Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. http://www.debian.org/security/ is over there --- . I'm aware that Debian manages to get advisories out extremely quickly--in some cases before any other distribution. But I'm not aware of the history of the second posters claims. I did recently note that the latest exim advisory was released on 4 January but the fix for uncontrolled program execution was posted by Philip Hazel on 19 December. That's no 48 hours. And the patch was even provided in the post [in this case I suspect the post by Philip Hazel was missed]. But I was really impressed that updates for unstable/testing were released at the same time. For those of us that use/test the bleeding edge on our systems it's a great reassurance to see the security team giving consideration to the security of testing/unstable. Regards, Adam
Re: Debian security being trashed in Linux Today comments
Adam Warner wrote: On Tue, 2002-01-15 at 01:05, Tim Haynes wrote: Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. But I was really impressed that updates for unstable/testing were released at the same time. For those of us that use/test the bleeding edge on our systems it's a great reassurance to see the security team giving consideration to the security of testing/unstable. Well, maybe you should follow Tim's advice and go check the security team's FAQ : Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. Of course, if you're using unstable, fixes tend to appear quickly, but : - tend to is not acceptable when security is concerned - it may take a lot more time depending on your local mirror -- Daniel
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 12:05:34PM +, Tim Haynes wrote: Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. http://www.debian.org/security/ is over there --- . Indeed. My only experience with trying to get an exploitable package patched was rather disappointing though. I believe (not being a Debian developer myself) that [EMAIL PROTECTED] goes to debian-private which is only available to developers. It then requires the developer of the package you're reporting about to be awake enough to /do/ something about the bug you are reporting. I had problems with apache whose old maintainer didn't really seem to care (bug 104187 for the gory details) So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. -- --( Have you seen a man who's lost his luggage? )-- Simon ( -- Suitcase) Nomis Htag.pl 0.0.19
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote: Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Thanks' I was about to say so... BTW pointer is: http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html I'm going to add this to the info available in the Debian Security Manual seems to be a FAQ Javi
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote: So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. That is the case in unstable and testing, but not stable. That is why you're encouraged to run stable on any machine connected to the internet. In its case, there is a group within Debian who is responsible for providing security updates in a timely manner with or without assistance from the package maintainer. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpU5YkjWmtBQ.pgp Description: PGP signature
Re: Debian security being trashed in Linux Today comments
Noah L. Meyerhans [EMAIL PROTECTED] writes: On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote: So perhaps Debian security is only as good as the package maintainers? I'm sure most maintainers do care and do investigate bugs I probably just had a bad experience. That is the case in unstable and testing, but not stable. That is why you're encouraged to run stable on any machine connected to the internet. In its case, there is a group within Debian who is responsible for providing security updates in a timely manner with or without assistance from the package maintainer. Agreed. You have to decide for the situation at hand; as it happens, my favourite colo swerver runs Testing, on the grounds that one of these days, Stable will change en-masse and the last thing I want is for ssh not to restart in my daily dist-upgrades of nearly every package on the box - the machine came home for a bit of TLC one time and got put onto Testing so the daily dist-upgrade only does a few packages rather than the whole lot. In the meantime, security patches (notably only _mutt_ anyway) can come down from Unstable. Cheers, ~Tim -- http://spodzone.org.uk/
Re: Debian security being trashed in Linux Today comments
On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña wrote: On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote: Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Thanks' I was about to say so... BTW pointer is: http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html I'm going to add this to the info available in the Debian Security Manual seems to be a FAQ I hope you provide a cleaned-up version. .../msg00257.html is full of binary crap. And the link .../bin0.bin could be stored as the PNG file it is supposed to be. The way it is now, I get a MIME-type of application/octet-stream, which Mozilla won't display. Maybe you can put the text, the spreadsheet, and the graph on a website? Archive maintainers, what happens to attachments like those in the mentioned mail? I don't keep debian-security mails around, so I can't see what MIME-type the attachments had. The binary crap must be the spreadsheet which has been inlined. Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm|
RE: Debian security being trashed in Linux Today comments
It renders fine in IE. :) The binary data is, I presume, the two files that Javier attached, as stated in the message: quote I adjoint some data: - a Gnumeric spreadsheet with all the information - a PNG graphic with this year's distribution of time-to-fix (in days) made by gnuplot with the previous data /quote j. -- Jeremy L. Gaddis [EMAIL PROTECTED] -Original Message- From: Lupe Christoph [mailto:[EMAIL PROTECTED] Sent: Monday, January 14, 2002 12:17 PM To: Javier Fernández-Sanguino Peña Cc: debian-security@lists.debian.org; [EMAIL PROTECTED] Subject: Re: Debian security being trashed in Linux Today comments On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña wrote: On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote: Previously Adam Warner wrote: Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Someone should point them to Javier's analysis of security response times.. Thanks' I was about to say so... BTW pointer is: http://lists.debian.org/debian-security/2001/debian-security-200112/msg0 0257.html I'm going to add this to the info available in the Debian Security Manual seems to be a FAQ I hope you provide a cleaned-up version. .../msg00257.html is full of binary crap. And the link .../bin0.bin could be stored as the PNG file it is supposed to be. The way it is now, I get a MIME-type of application/octet-stream, which Mozilla won't display. Maybe you can put the text, the spreadsheet, and the graph on a website? Archive maintainers, what happens to attachments like those in the mentioned mail? I don't keep debian-security mails around, so I can't see what MIME-type the attachments had. The binary crap must be the spreadsheet which has been inlined. Lupe Christoph -- | [EMAIL PROTECTED] |http://free.prohosting.com/~lupe | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian security being trashed in Linux Today comments
On Mon, 14 Jan 2002, Daniel Polombo wrote: Adam Warner wrote: Well, maybe you should follow Tim's advice and go check the security team's FAQ : Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. Of course, if you're using unstable, fixes tend to appear quickly, but : - tend to is not acceptable when security is concerned - it may take a lot more time depending on your local mirror As woody draws closer and closer to being stable, and potato draws closer and closer to the legendary dinosaurs which roamed the earth with regards to its outdated software, perhaps this comittment to woody's security could be revisted. I would be surprised if a lot of the criticsm that is coming out on this issue is not related to the fact that a lot of people have moved from potato to woody because they cannot continue to use potato due to the requirements of certain software or underlying libraries, and are thus burned by this security policy. Lets face it, potato has some ancient software that is getting outdated, you can hardly find any software that uses db2 anymore, and it is not trivial to backport from db3, the version of perl makes usage and installation of anything that was done in the last 5 years difficult... potato is great, if you want to only use the packages which come with it, it is great as a server which doesn't need any changes, but if you want to do anything semi-new, or outside of the package scope, you have to move to woody, or just wait. With that movement comes a significant loss in security policy. Now that woody draws near to being stable, perhaps the policy can be altered to accomodate for that. Micah
Re: Debian security being trashed in Linux Today comments
Adam Warner [EMAIL PROTECTED] writes: http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB Someone with better knowledge of all the facts might want to comment on the claim that Debian is always the last to fix security holes and the tag team follow up I've been fighting for months now to try to convince them to release an advisory or fix for ftpd... Of course, libc problems are a bit unfair for comparison. Red Hat runs the official CVS repository, and they probably knew about the problem by mid-November or something like that (the fix was committed on 2001-11-29, IIRC). -- Florian Weimer[EMAIL PROTECTED] University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 07:19:29PM +0100, Javier Fernández-Sanguino Peña wrote: I hope you provide a cleaned-up version. .../msg00257.html is full of binary crap. And the link .../bin0.bin could be stored as the PNG file it is supposed to be. The way it is now, I get a MIME-type of application/octet-stream, which Mozilla won't display. As I said, attachments are not parsed correctly by the archiving software. And no, the spreadsheet should have been sent as a MIME attachment (used mutt). Does anyone know if we can tweak mhonarc to handle this more gracefully? -- 2. That which causes joy or happiness.
Re: Debian security being trashed in Linux Today comments
On Tue, 2002-01-15 at 01:41, Daniel Polombo wrote: Adam Warner wrote: On Tue, 2002-01-15 at 01:05, Tim Haynes wrote: Some of us wouldn't dare say such things without at least reviewing the given distro's security policy, FAQ and history. But I was really impressed that updates for unstable/testing were released at the same time. For those of us that use/test the bleeding edge on our systems it's a great reassurance to see the security team giving consideration to the security of testing/unstable. Well, maybe you should follow Tim's advice and go check the security team's FAQ : Weren't my comments enough for you to to be able to interpret WHY I said I was really impressed? I have known and understood the security FAQ for a long time Daniel. Q: How is security handled for testing and unstable? A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. http://www.debian.org/security/2002/dsa-097 This problem has been fixed in Exim version 3.12-10.2 for the stable distribution Debian GNU/Linux 2.2 and 3.33-1.1 for the testing and unstable distribution. Oops the security team breached their FAQ :-) Of course, if you're using unstable, fixes tend to appear quickly, but : - tend to is not acceptable when security is concerned - it may take a lot more time depending on your local mirror Which is why I uncommented the main distribution sites in sources.list and got the updates for testing/unstable right away. That's why I was impressed. Because I am aware of the FAQ. Still I hope such care about the security of testing/unstable continues and note the comments of John Galt. I have noticed many instances where unstable has been secure when stable has not (before an update). Bugs that are found in Potato are not always relevant to the quick moving new binaries and code in unstable. I feel happy about the security of my unstable systems and am not aware of any vulnerabilities that I have read about at Linux Weekly News that presently affect my installations. I have had to keep up with a few fixes to Zope in the past but there was a huge Python transition being undertaken at the time. Regards, Adam
Re: Debian security being trashed in Linux Today comments
On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote: It renders fine in IE. :) Yeah, but it has the binary crap at the end. It renders like that in moz too. (both running on the family 'doze PC while I type this mail through PuTTY.) The binary data is, I presume, the two files that Javier attached, as stated in the message: quote I adjoint some data: - a Gnumeric spreadsheet with all the information - a PNG graphic with this year's distribution of time-to-fix (in days) made by gnuplot with the previous data /quote The binary crap is probably the spreadsheet by itself, but maybe the image too. The download link for bin0.bin is the image. It is not PNG, but rather a gzipped xwd. I don't know why it's .bin instead of .xwd.gz. I recompressed it as a real PNG, and attached it to this mail, for your viewing pleasure :) PNG gets 3.5 times better compression, probably because this image only uses 8 bits of colour, and the xwd was 24bit. Someone else mentioned that this graph should go up on a website, but someone else shot them down. I think the suggestion was just for this image in particular, not that this should be done for every image-attachment on all lists. Anyway, I agree that it would be cool to have this graph and the data available on a web site. (With the data in a two-column ascii list, rather than a spreadsheet or something that needs to be downloaded and dealt with separately.) Of course, then we might need to make up excuses, or preferably find solutions, for the exceptionally long bugs. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces! -- Plautus, 200 BCE fix-time.png Description: PNG image
Re: Debian security being trashed in Linux Today comments
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter Cordes [EMAIL PROTECTED] writes: [...] To get testing better tested (by providing the service more people need to run it), and to get the security team familiar with the soon-to-be-stable release, there could be a mechanism for security fixes to get done on woody, etc. I don't know what kind of security promises would be appropriate, or what, but I think it would be a good idea to do something along these lines. Maybe someone should make a list of packages that the security team would take time to deal with in woody, and add packages to it over time. Starting with popular packages and/or packages classified as required/important might make sense. Currently, testing is getting frozen in steps as far as I understand the process. What about providing proper security updates for those parts that have already been frozen? These would have be dealt with in a special way to get upgraded anyway so you might as well provide the upgrade as a proper security update. This could also serve as a handle for the folks who are coordinating the release process. - -- Olaf Meeuwissen Epson Kowa Corporation, Research and Development GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97 976A 16C7 F27D 6BE3 7D90 LPIC-2 -- I hack, therefore I am -- BOFH -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Processed by Mailcrypt 3.5.6 http://mailcrypt.sourceforge.net/ iD8DBQE8Q7YAFsfyfWvjfZARAn2mAKCh20XSbZlJ+wjtiOJP/zGv8z3yTwCgxOlw S0PF5uSNo7KeuY9ONzBCYl8= =FSYR -END PGP SIGNATURE-
