One DD replied off-the-list, so I'll quote him without attribution: > I understand your concern, but practicality is better then theory. > > (...) we will get notification when vulnerabilities are exploited, and so we > get priority.
It's not so theoretical: "Google is aware that an exploit for CVE-2021-37973 exists in the wild." https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html This was 3 months ago. This hole is still open in Debian Stable, among many others. > (...) You will not find many exploitation on updated systems. And this > matter more then theory. We have a social contract to users, not to > philosophers. A good fraction of Debian 10 and 11 users are using Chromium as we speak. They probably had a look in debian.org/security at some point, but the page failed to warn them. Almost every Debian user I've interacted with mistakenly believes that Debian applies all relevant security updates to all packages. It's pretty disappointing that of the 1000+ list subscribers no one agreed with me, publicly. Anyway, I've said my piece, and I don't know what else I could add. I already sound like a broken record. Unsubscribing. -- Sent with https://mailfence.com Secure and private email
