Re: Security EOL within Debian Stable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 05.02.15 um 23:13 schrieb Stephen Dowdy: It's been less than a week since 'chromium' support was EOL'd, so hopefully soon 'debian-security-support' will get that updated info. it would be great if you would open a bug against the debian-security-support package if there isn't one pending yet. Thanks, Jan. - -- Never write mail to w...@spamfalle.info, you have been warned! - -BEGIN GEEK CODE BLOCK- Version: 3.12 GIT d-- s+: a C+++ UL P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS PE Y++ PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h r+++ y - --END GEEK CODE BLOCK-- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJU1iNiAAoJEAxwVXtaBlE+fZ0QAKwCmToTvlpo1BFxgI3GgiqF 1SIWo2e4WL32PV9hBNT5Kz+l+R7ufqitrCDTYsZHUWvP6ekWojDGMfT3XF9OxDRT K2hiovamjqX9ElRl9UqT6fVwbQSvXOpngepLqMiaorrNS0vtt+RR++/HXy1XDtru S7cyjEDeB+uUjVO++zA2e0uh4FZPbE3+TgaM6hXuHquJ0hytOdP33sxg+0OJ4AOi fKcRcAZChrnH/X8QSg09X/7KxTsJvcf1g6CL7TFItEhAoW6xgEmCxVVf2PsC8RcI 2b+a4hZJheJjlAHPziA1lisWXdZ9qcYhscO7ONRFhR2FP5c5cUBMXerj7WVZGBhG DOd2IESgPx0tJW20rdVXjwyX58O8fUGvUaXDrzVWLmZWOtOi3sBNnAdjTcBLFUYm c+b/YLvi7BnKysBOkLxqZTYc217WfiG3O2Xpg7LMs3k0vb0UbfkbdwNwI2W//n2L +G5tqqHWpRN3nlTqmXfv8fr9e9bHppT5HGxuys+TlIC2YN0AZI9PRBGCXS0x6FVx CPF9SEZE6VnVRpWCgUUuwoo/TOvAdbC8BBLlWIscN4yKXYzGfEgeLYyGDpE31/I0 vCAzkMwvI4Ymm5oxkFyQYKFKPy9BQ4pWyqOlv0lEj7QyL9SCJhyzxiLnILyy+F5+ uHzOMHehyw4IpmMaIL7p =d8F/ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54d62362.4010...@cyconet.org
Re: Security EOL within Debian Stable
On Samstag, 7. Februar 2015, Jan Wagner wrote: it would be great if you would open a bug against the debian-security-support package if there isn't one pending yet. #776904 please mark chromium as unsupported in wheezy signature.asc Description: This is a digitally signed message part.
Re: Security EOL within Debian Stable
On Wed, Feb 4, 2015 at 6:49 PM, Michael Gilbert mgilb...@debian.org wrote: On Wed, Feb 4, 2015 at 8:09 PM, Stephen Dowdy wrote: So, if a user installs said package, but fails to notice any EOL DSA on it, the package gets left in place in a potentially VULNERABLE state. I.E. if a known exploit comes out, and the package is still installed, the end-user could get a nasty surprise thinking that because they've added security support to apt-sources and regularly update, that they are protected. This is a non-optimal and undesired end-result. The debian-security-support package somewhat addresses those concerns [0], but it is not currently installed by default. There was some discussion to make that happen, but hasn't been followed through. Ah, that's useful to know, and that would be a a reasonable solution. However, that package depends upon being current and having the endedlimited support db files updated $ check-support-status -V version 2014.09.07 $ grep chromium /usr/share/debian-security-support/* || echo Chromium not listed Chromium not listed It's been less than a week since 'chromium' support was EOL'd, so hopefully soon 'debian-security-support' will get that updated info. To me, that's a satisfactory solution, again, depending upon it being maintained. I'll ensure that our default FAI config includes that package from here out. (additionally, a site administrator could, using those DBs manage package de-installation / deactivation or security-alert wrapper scriptage even automatically from it) Note that chromium is in 'main' -- not 'contrib' or ..., so there's a valid expectation that its security support won't just silently stop -- unlike the other FAQ entry that says there's basically no security support or contrib, non-free.. I'm not sure where you get the silently concern from, but this topic is already discussed in wheezy's release notes [1]. The problem with that of course you'll point out is that users often don't read that... By silently, i mean that the package would continue to operate w/o warning that it's possibly vulnerable (sans any external info such as checking DSAs or having an updated 'debian-security-support' package and independently running it to identify the problem). I've often injected shell-script wrappers around problematic packages to warn users via dialog/kdialog/simple-message that the package is vulnerable/problematical, etc -- until the problem's rectified. Yeah, it's hard to read (and brain-store) multiple hundred page manuals for all the stuff a sysadmin is responsible for on a regular basis. That's why i appealed to folks like you to set me straight ;) Best wishes, Mike [0] https://packages.qa.debian.org/d/debian-security-support.html [1] https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security Thanks! --stephen -- Stephen Dowdy - Systems Administrator - NCAR/RAL 303.497.2869 - sdo...@ucar.edu- http://www.ral.ucar.edu/~sdowdy/
Re: Security EOL within Debian Stable
On Wed, Feb 4, 2015 at 8:09 PM, Stephen Dowdy wrote: So, if a user installs said package, but fails to notice any EOL DSA on it, the package gets left in place in a potentially VULNERABLE state. I.E. if a known exploit comes out, and the package is still installed, the end-user could get a nasty surprise thinking that because they've added security support to apt-sources and regularly update, that they are protected. This is a non-optimal and undesired end-result. The debian-security-support package somewhat addresses those concerns [0], but it is not currently installed by default. There was some discussion to make that happen, but hasn't been followed through. Note that chromium is in 'main' -- not 'contrib' or ..., so there's a valid expectation that its security support won't just silently stop -- unlike the other FAQ entry that says there's basically no security support or contrib, non-free.. I'm not sure where you get the silently concern from, but this topic is already discussed in wheezy's release notes [1]. The problem with that of course you'll point out is that users often don't read that... Best wishes, Mike [0] https://packages.qa.debian.org/d/debian-security-support.html [1] https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CANTw=MORX_fRMNiz5N0eVT_cXEp43a3JaD=17KO5zPAiGsP0=q...@mail.gmail.com