Re: Debian security being trashed in Linux Today comments

2002-01-16 Thread Will Wesley, CCNA
Peter Cordes wrote:
> 
> > Agreed, weighted mean (by severity of vulnerability and popularity of
> > package) would be better, if suitable weighting could be devised.
> 
>  Separate graphs would be more useful to more people.  (not everybody's
> weighting would be the same as the weighting that would take a year of
> debate to not be settled anyway...)  One graph for remote exploits, one for
> local priviledge escalation, one for remote holes in Important (according to
> pkg system), etc.  Make a graph for anything someone might be interested in.
> Or even generate them on the fly with input from a set of checkboxes for which
> package to include; if someone wanted to write the code, it wouldn't be
> hard.  (assuming there's a good way to see which package falls into which
> category...  Hmm, that's probably not so easy with the data that is kept now.)
> 
>  Anyway, the most useful thing would be multiple graphs according to a few
> interesting criteria.

Any kind of policy we create should easily applied to other distro's in
order to combat FUD like the comments that started this thread. I agree
in seperatring graphs and stats into different categories such as remote
and local vulnerabilities, and Required (as in packages that are on
virtually all systems, ie glibc, at and friends, etc.) But, we wouldn't
be distinguishing on a package basis, IMHO, since one package could be
vulnerable to a remote exploit, and also have a privledge escalation
vuln.

As for weighting the severity of exploits, this would definately be
something that would need to be tailored to the individual whom seeks
such information. Maybe a selection of different package types (ie Mail
servers, web servers, ftp servers, user utils, admin utils, network
utils, development tools, base, etc..), then include in the report
whether specific packages are still vuln to known exploits, or details
on how fast specific packages where fixed after a vuln was announced.
The details would help advise as to which packages appear to be more
secure in a specific use, while statistics would show how well the
distro responds to fixes for a specific genre of packages, which would
in turn help an admin decide what distro would be best for the kind of
server he/she is creating. Maybe a package specific report would be
easier, and more accurate.

Anyone wanna flame me, add to my thoughts, or compliment me? I guess as
a side note, I shouldn't say "we" since I doubt I am really eligible to
be a major contributer to such a project... Just my two cents, anyhow.

-Will Wesley
Great way to learn about mknod...
box:~# rm -rf /dev
box:~# man mknod

_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Re: Debian security being trashed in Linux Today comments

2002-01-16 Thread Will Wesley, CCNA

Peter Cordes wrote:
> 
> > Agreed, weighted mean (by severity of vulnerability and popularity of
> > package) would be better, if suitable weighting could be devised.
> 
>  Separate graphs would be more useful to more people.  (not everybody's
> weighting would be the same as the weighting that would take a year of
> debate to not be settled anyway...)  One graph for remote exploits, one for
> local priviledge escalation, one for remote holes in Important (according to
> pkg system), etc.  Make a graph for anything someone might be interested in.
> Or even generate them on the fly with input from a set of checkboxes for which
> package to include; if someone wanted to write the code, it wouldn't be
> hard.  (assuming there's a good way to see which package falls into which
> category...  Hmm, that's probably not so easy with the data that is kept now.)
> 
>  Anyway, the most useful thing would be multiple graphs according to a few
> interesting criteria.

Any kind of policy we create should easily applied to other distro's in
order to combat FUD like the comments that started this thread. I agree
in seperatring graphs and stats into different categories such as remote
and local vulnerabilities, and Required (as in packages that are on
virtually all systems, ie glibc, at and friends, etc.) But, we wouldn't
be distinguishing on a package basis, IMHO, since one package could be
vulnerable to a remote exploit, and also have a privledge escalation
vuln.

As for weighting the severity of exploits, this would definately be
something that would need to be tailored to the individual whom seeks
such information. Maybe a selection of different package types (ie Mail
servers, web servers, ftp servers, user utils, admin utils, network
utils, development tools, base, etc..), then include in the report
whether specific packages are still vuln to known exploits, or details
on how fast specific packages where fixed after a vuln was announced.
The details would help advise as to which packages appear to be more
secure in a specific use, while statistics would show how well the
distro responds to fixes for a specific genre of packages, which would
in turn help an admin decide what distro would be best for the kind of
server he/she is creating. Maybe a package specific report would be
easier, and more accurate.

Anyone wanna flame me, add to my thoughts, or compliment me? I guess as
a side note, I shouldn't say "we" since I doubt I am really eligible to
be a major contributer to such a project... Just my two cents, anyhow.

-Will Wesley
Great way to learn about mknod...
box:~# rm -rf /dev
box:~# man mknod

_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-16 Thread Javier Fernández-Sanguino Peña

Right. It should be "A report published...".
Fixed. Thanks

Javi



Re: Debian security being trashed in Linux Today comments

2002-01-16 Thread Javier Fernández-Sanguino Peña


Right. It should be "A report published...".
Fixed. Thanks

Javi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-16 Thread Lupe Christoph
On Tuesday, 2002-01-15 at 13:07:12 +0100, Javier Fernández-Sanguino Peña wrote:
> On Tue, Jan 15, 2002 at 09:23:20AM +0100, Lupe Christoph wrote:

> > I still think a table and graph would be a god addition to the security
> > FAQ, as an answer to the question "How long does Debian take to
> > fix known vulnerabilities". Tne table could go in the FAQ, and the
> > graph could be linked. (Dunno how the FAQ gets set up, but I guess
> > there will be an ASCII-only version.)

>   Already did it yesterday (except for th column with the data).
> See
> http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3

Thank you. But I can't parse "An published in the debian-security
mailinglist showed that in the year 2001, ...". An email?

Lupe Christoph
-- 
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a  |
| Bat-Leth contest on the holodeck. They will not concern us again.  |
| http://public.logica.com/~stepneys/joke/klingon.htm|



Re: Debian security being trashed in Linux Today comments

2002-01-16 Thread Peter Cordes
On Tue, Jan 15, 2002 at 02:34:47PM +, Colin Phipps wrote:
> On Tue, Jan 15, 2002 at 02:04:38PM +, Tim Haynes wrote:
> > Colin Phipps <[EMAIL PROTECTED]> writes:
> > > It is not misleading in this case, the tail is the _most_ important part
> > > of the data. It doesn't matter if we patch every other hole in 10 minutes
> > > if we leave one open for months.
> > 
> > Yes it does, if that remaining hole is merely a local non-root potential
> > vulnerability with no known exploit that's a PITA to fix - you *must*
> > weight the average accordingly.
> 
> Agreed, weighted mean (by severity of vulnerability and popularity of
> package) would be better, if suitable weighting could be devised.

 Separate graphs would be more useful to more people.  (not everybody's
weighting would be the same as the weighting that would take a year of
debate to not be settled anyway...)  One graph for remote exploits, one for
local priviledge escalation, one for remote holes in Important (according to
pkg system), etc.  Make a graph for anything someone might be interested in.
Or even generate them on the fly with input from a set of checkboxes for which
package to include; if someone wanted to write the code, it wouldn't be
hard.  (assuming there's a good way to see which package falls into which
category...  Hmm, that's probably not so easy with the data that is kept now.)

 Anyway, the most useful thing would be multiple graphs according to a few
interesting criteria.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE



Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Lupe Christoph

On Tuesday, 2002-01-15 at 13:07:12 +0100, Javier Fernández-Sanguino Peña wrote:
> On Tue, Jan 15, 2002 at 09:23:20AM +0100, Lupe Christoph wrote:

> > I still think a table and graph would be a god addition to the security
> > FAQ, as an answer to the question "How long does Debian take to
> > fix known vulnerabilities". Tne table could go in the FAQ, and the
> > graph could be linked. (Dunno how the FAQ gets set up, but I guess
> > there will be an ASCII-only version.)

>   Already did it yesterday (except for th column with the data).
> See
> http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3

Thank you. But I can't parse "An published in the debian-security
mailinglist showed that in the year 2001, ...". An email?

Lupe Christoph
-- 
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a  |
| Bat-Leth contest on the holodeck. They will not concern us again.  |
| http://public.logica.com/~stepneys/joke/klingon.htm|


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Peter Cordes

On Tue, Jan 15, 2002 at 02:34:47PM +, Colin Phipps wrote:
> On Tue, Jan 15, 2002 at 02:04:38PM +, Tim Haynes wrote:
> > Colin Phipps <[EMAIL PROTECTED]> writes:
> > > It is not misleading in this case, the tail is the _most_ important part
> > > of the data. It doesn't matter if we patch every other hole in 10 minutes
> > > if we leave one open for months.
> > 
> > Yes it does, if that remaining hole is merely a local non-root potential
> > vulnerability with no known exploit that's a PITA to fix - you *must*
> > weight the average accordingly.
> 
> Agreed, weighted mean (by severity of vulnerability and popularity of
> package) would be better, if suitable weighting could be devised.

 Separate graphs would be more useful to more people.  (not everybody's
weighting would be the same as the weighting that would take a year of
debate to not be settled anyway...)  One graph for remote exploits, one for
local priviledge escalation, one for remote holes in Important (according to
pkg system), etc.  Make a graph for anything someone might be interested in.
Or even generate them on the fly with input from a set of checkboxes for which
package to include; if someone wanted to write the code, it wouldn't be
hard.  (assuming there's a good way to see which package falls into which
category...  Hmm, that's probably not so easy with the data that is kept now.)

 Anyway, the most useful thing would be multiple graphs according to a few
interesting criteria.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Colin Phipps
On Tue, Jan 15, 2002 at 02:04:38PM +, Tim Haynes wrote:
> Colin Phipps <[EMAIL PROTECTED]> writes:
> > It is not misleading in this case, the tail is the _most_ important part
> > of the data. It doesn't matter if we patch every other hole in 10 minutes
> > if we leave one open for months.
> 
> Yes it does, if that remaining hole is merely a local non-root potential
> vulnerability with no known exploit that's a PITA to fix - you *must*
> weight the average accordingly.

Agreed, weighted mean (by severity of vulnerability and popularity of
package) would be better, if suitable weighting could be devised.

On Tue, Jan 15, 2002 at 01:55:18PM +, Karl E. Jorgensen wrote:
> Are there any stats available on the number of people who have each
> package installed?

Relative popularity of packages can be got from the popularity-contest
results (although this will tend to reflect workstations more than
servers, since people running a secure server aren't likely to run
something that sends their package list to anyone).
http://people.debian.org/~apenwarr//popcon/

-- 
Colin Phipps PGP 0x689E463E http://www.netcraft.com/



Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Karl E. Jorgensen
On Tue, Jan 15, 2002 at 01:52:47PM +, Colin Phipps wrote:
> [...]
> Furthermore I think the mean is exactly the right measure of this: from
> the user point of view, the important figure is total exposure time,
> i.e. sum of time between vulnerability discovery and patch (for
> installed packages) for all vulns. For someone who installs every Debian
> package, this is equal to (# of vulnerabilities)x(mean time to patch).
> The former measures how well packages are audited in advance, the latter
> measures how quickly vulnerabilities are corrected. It's the right
> statistic.

Are there any stats available on the number of people who have each
package installed? (I think not, but better ask).

If such stats were available, then security flaws in "popular" packages
could be weighted higher than flaws in the "not-so-popular" packages.

Such numbers may also be useful for guestimating the "impact"
of non-security related bugs... I feel a debian package coming
along... (mutters as he walk off into the sunset)

> -- 
> Colin Phipps PGP 0x689E463E http://www.netcraft.com/

-- 
Karl E. Jørgensen
[EMAIL PROTECTED]
www.karl.jorgensen.com
"One disk to rule them all, One disk to find them. One disk to bring
 them all and in the darkness grind them. In the Land of Redmond
 where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh


pgpgIbgx1HXUx.pgp
Description: PGP signature


Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Tim Haynes
Colin Phipps <[EMAIL PROTECTED]> writes:

> On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote:
> > "...it took the Debian Security Team an average of 35 days to fix
>> security-related vulnerabilites."
>> 
>> An average based upon a very long tail is highly misleading. Please
>> quote the median time to fix a vulnerability instead.
>
> It is not misleading in this case, the tail is the _most_ important part
> of the data. It doesn't matter if we patch every other hole in 10 minutes
> if we leave one open for months.

Yes it does, if that remaining hole is merely a local non-root potential
vulnerability with no known exploit that's a PITA to fix - you *must*
weight the average accordingly.

Much as I hate stats, I can see that what you want to measure is how much
lethargy there is in Debian, which means excluding other influences, and
instead of wondering about means modes and medians, you've got to weight
the whole thing. Bah, complicated.

~Tim
-- 




Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Wichert Akkerman
Previously Colin Phipps wrote:
> It is not misleading in this case, the tail is the _most_ important part
> of the data.  It doesn't matter if we patch every other hole in 10
> minutes if we leave one open for months.

Both are interesting though.

Wichert.

-- 
  _
 /[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |



Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Colin Phipps
On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote:
> "...it took the Debian Security Team an average of 35 days to fix
> security-related vulnerabilites."
> 
> An average based upon a very long tail is highly misleading. Please
> quote the median time to fix a vulnerability instead.

It is not misleading in this case, the tail is the _most_ important part
of the data.  It doesn't matter if we patch every other hole in 10
minutes if we leave one open for months.

Furthermore I think the mean is exactly the right measure of this: from
the user point of view, the important figure is total exposure time,
i.e. sum of time between vulnerability discovery and patch (for
installed packages) for all vulns. For someone who installs every Debian
package, this is equal to (# of vulnerabilities)x(mean time to patch).
The former measures how well packages are audited in advance, the latter
measures how quickly vulnerabilities are corrected. It's the right
statistic.

-- 
Colin Phipps PGP 0x689E463E http://www.netcraft.com/



Re: faster -- Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Alvin Oga

hi ya wichert

true... i probably should have been clearer...
that i'm on the way end of the bugtraq list...

keep up the good work "all" ...

have fun
alvin
http://www.Linux-Sec.net ... hardening howtos ...


On Tue, 15 Jan 2002, Wichert Akkerman wrote:

> Previously Alvin Oga wrote:
> > i did an dist-upgrade&& update&& upgrade today... and saw sudo get update
> > before fixes to sudo  was posted to bugtraq
> 
> Actually it was posted to bugtraq about 15 minutes before but you only
> saw it later due to moderation :)
> 



Re: faster -- Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Wichert Akkerman
Previously Alvin Oga wrote:
> i did an dist-upgrade&& update&& upgrade today... and saw sudo get update
> before fixes to sudo  was posted to bugtraq

Actually it was posted to bugtraq about 15 minutes before but you only
saw it later due to moderation :)

Wichert.

-- 
  _
 /[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |



faster -- Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Alvin Oga

hi ya

i did an dist-upgrade&& update&& upgrade today... and saw sudo get update
before fixes to sudo  was posted to bugtraq

c ya
alvin

On 15 Jan 2002, Adam Warner wrote:

> On Tue, 2002-01-15 at 09:44, Florian Weimer wrote:
> > Adam Warner <[EMAIL PROTECTED]> writes:
> > 
> > > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> > > 
> > > Someone with better knowledge of all the facts might want to comment on
> > > the claim that "Debian is always the last to fix security holes" and the
> > > tag team follow up "I've been fighting for months now to try to convince
> > > them to release an advisory or fix for ftpd..."
> > 
> > Of course, libc problems are a bit unfair for comparison.  Red Hat
> > runs the official CVS repository, and they probably knew about the
> > problem by mid-November or something like that (the fix was committed
> > on 2001-11-29, IIRC).
> 
> I've just found that some anonymous poster promoted the Linux Today
> comments on Debian Planet:
> 
> http://www.debianplanet.org//article.php?sid=568
> 
> At this rate Slashdot isn't far off ;-)
> 



Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Adam Warner
On Wed, 2002-01-16 at 01:07, Javier Fernández-Sanguino Peña wrote:

>   Already did it yesterday (except for th column with the data).
> See
> http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3

Please consider removing any reference to the average amount of time in
the FAQ:

"...it took the Debian Security Team an average of 35 days to fix
security-related vulnerabilites."

An average based upon a very long tail is highly misleading. Please
quote the median time to fix a vulnerability instead. This will will be
less than or equal to 10 days given this statistic:

"over 50% of the vulnerabilities where fixed in a 10-days time"

Because of this research it looks like Debian's security information
page will have to be changed:

http://www.debian.org/security/

"Debian takes security very seriously. Most security problems brought to
our attention are corrected within 48 hours."

That's just not an honest description of what's occurred. It appears
from the research that most (i.e. > 50%) of security problems are
corrected within 10 days, not 48 hours.

I still need to be able to download that spreadsheet. I have viewed the
PNG picture.

Regards,
Adam




Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Colin Phipps

On Tue, Jan 15, 2002 at 02:04:38PM +, Tim Haynes wrote:
> Colin Phipps <[EMAIL PROTECTED]> writes:
> > It is not misleading in this case, the tail is the _most_ important part
> > of the data. It doesn't matter if we patch every other hole in 10 minutes
> > if we leave one open for months.
> 
> Yes it does, if that remaining hole is merely a local non-root potential
> vulnerability with no known exploit that's a PITA to fix - you *must*
> weight the average accordingly.

Agreed, weighted mean (by severity of vulnerability and popularity of
package) would be better, if suitable weighting could be devised.

On Tue, Jan 15, 2002 at 01:55:18PM +, Karl E. Jorgensen wrote:
> Are there any stats available on the number of people who have each
> package installed?

Relative popularity of packages can be got from the popularity-contest
results (although this will tend to reflect workstations more than
servers, since people running a secure server aren't likely to run
something that sends their package list to anyone).
http://people.debian.org/~apenwarr//popcon/

-- 
Colin Phipps PGP 0x689E463E http://www.netcraft.com/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Javier Fernández-Sanguino Peña
On Tue, Jan 15, 2002 at 09:23:20AM +0100, Lupe Christoph wrote:
> On Monday, 2002-01-14 at 23:20:21 -0400, Peter Cordes wrote:
> > On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote:
> 
> >  I recompressed it as a real PNG, and attached it to this mail, for your
> > viewing pleasure :)  PNG gets 3.5 times better compression, probably because
> > this image only uses 8 bits of colour, and the xwd was 24bit.
> 
> I hadn't tried to view it when it first came around. As a graph,
> it is not very impressive. Hard to judge x and y for any point on
> the curve. This would probably be better done as a histogram.

Well. Take in account it was done somewhat in a hurry... IIRC
x = number of days taken to fix bug
y = number of bugs fixed
> 
> >  Someone else mentioned that this graph should go up on a website, but
> > someone else shot them down.  I think the suggestion was just for this image

I did not "shot him down" just said I did not think it
would be possible. Problem is, debiandoc-sgml has no support for inline
images.

> I still think a table and graph would be a god addition to the security
> FAQ, as an answer to the question "How long does Debian take to
> fix known vulnerabilities". Tne table could go in the FAQ, and the
> graph could be linked. (Dunno how the FAQ gets set up, but I guess
> there will be an ASCII-only version.)

Already did it yesterday (except for th column with the data).
See
http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3


Regards

Javi



Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Karl E. Jorgensen

On Tue, Jan 15, 2002 at 01:52:47PM +, Colin Phipps wrote:
> [...]
> Furthermore I think the mean is exactly the right measure of this: from
> the user point of view, the important figure is total exposure time,
> i.e. sum of time between vulnerability discovery and patch (for
> installed packages) for all vulns. For someone who installs every Debian
> package, this is equal to (# of vulnerabilities)x(mean time to patch).
> The former measures how well packages are audited in advance, the latter
> measures how quickly vulnerabilities are corrected. It's the right
> statistic.

Are there any stats available on the number of people who have each
package installed? (I think not, but better ask).

If such stats were available, then security flaws in "popular" packages
could be weighted higher than flaws in the "not-so-popular" packages.

Such numbers may also be useful for guestimating the "impact"
of non-security related bugs... I feel a debian package coming
along... (mutters as he walk off into the sunset)

> -- 
> Colin Phipps PGP 0x689E463E http://www.netcraft.com/

-- 
Karl E. Jørgensen
[EMAIL PROTECTED]
www.karl.jorgensen.com
"One disk to rule them all, One disk to find them. One disk to bring
 them all and in the darkness grind them. In the Land of Redmond
 where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



msg05289/pgp0.pgp
Description: PGP signature


Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Tim Haynes

Colin Phipps <[EMAIL PROTECTED]> writes:

> On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote:
> > "...it took the Debian Security Team an average of 35 days to fix
>> security-related vulnerabilites."
>> 
>> An average based upon a very long tail is highly misleading. Please
>> quote the median time to fix a vulnerability instead.
>
> It is not misleading in this case, the tail is the _most_ important part
> of the data. It doesn't matter if we patch every other hole in 10 minutes
> if we leave one open for months.

Yes it does, if that remaining hole is merely a local non-root potential
vulnerability with no known exploit that's a PITA to fix - you *must*
weight the average accordingly.

Much as I hate stats, I can see that what you want to measure is how much
lethargy there is in Debian, which means excluding other influences, and
instead of wondering about means modes and medians, you've got to weight
the whole thing. Bah, complicated.

~Tim
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Wichert Akkerman

Previously Colin Phipps wrote:
> It is not misleading in this case, the tail is the _most_ important part
> of the data.  It doesn't matter if we patch every other hole in 10
> minutes if we leave one open for months.

Both are interesting though.

Wichert.

-- 
  _
 [EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Colin Phipps

On Wed, Jan 16, 2002 at 01:42:50AM +1300, Adam Warner wrote:
> "...it took the Debian Security Team an average of 35 days to fix
> security-related vulnerabilites."
> 
> An average based upon a very long tail is highly misleading. Please
> quote the median time to fix a vulnerability instead.

It is not misleading in this case, the tail is the _most_ important part
of the data.  It doesn't matter if we patch every other hole in 10
minutes if we leave one open for months.

Furthermore I think the mean is exactly the right measure of this: from
the user point of view, the important figure is total exposure time,
i.e. sum of time between vulnerability discovery and patch (for
installed packages) for all vulns. For someone who installs every Debian
package, this is equal to (# of vulnerabilities)x(mean time to patch).
The former measures how well packages are audited in advance, the latter
measures how quickly vulnerabilities are corrected. It's the right
statistic.

-- 
Colin Phipps PGP 0x689E463E http://www.netcraft.com/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Simon Huggins
On Mon, Jan 14, 2002 at 09:53:15AM -0500, Noah L. Meyerhans wrote:
> On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
> > So perhaps Debian security is only as good as the package maintainers?
> > I'm sure most maintainers do care and do investigate bugs I probably
> > just had a bad experience.
> That is the case in unstable and testing, but not stable.

You seem to be implying I was talking about woody or sid yet the bug in
the BTS says "potato".

> That is why you're encouraged to run stable on any machine connected
> to the internet.  In its case, there is a group within Debian who is
> responsible for providing security updates in a timely manner with or
> without assistance from the package maintainer.

I should probably have emailed security-team instead of security when I
found the bug.  Ho hum.


-- 
--(   huggie: dans ton troupeau de  )--
Simon ( clef public c'est la quelle la bonne ?   ) Nomis
 Htag.pl 0.0.19



Re: faster -- Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Alvin Oga


hi ya wichert

true... i probably should have been clearer...
that i'm on the way end of the bugtraq list...

keep up the good work "all" ...

have fun
alvin
http://www.Linux-Sec.net ... hardening howtos ...


On Tue, 15 Jan 2002, Wichert Akkerman wrote:

> Previously Alvin Oga wrote:
> > i did an dist-upgrade&& update&& upgrade today... and saw sudo get update
> > before fixes to sudo  was posted to bugtraq
> 
> Actually it was posted to bugtraq about 15 minutes before but you only
> saw it later due to moderation :)
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: faster -- Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Wichert Akkerman

Previously Alvin Oga wrote:
> i did an dist-upgrade&& update&& upgrade today... and saw sudo get update
> before fixes to sudo  was posted to bugtraq

Actually it was posted to bugtraq about 15 minutes before but you only
saw it later due to moderation :)

Wichert.

-- 
  _
 [EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




faster -- Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Alvin Oga


hi ya

i did an dist-upgrade&& update&& upgrade today... and saw sudo get update
before fixes to sudo  was posted to bugtraq

c ya
alvin

On 15 Jan 2002, Adam Warner wrote:

> On Tue, 2002-01-15 at 09:44, Florian Weimer wrote:
> > Adam Warner <[EMAIL PROTECTED]> writes:
> > 
> > > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> > > 
> > > Someone with better knowledge of all the facts might want to comment on
> > > the claim that "Debian is always the last to fix security holes" and the
> > > tag team follow up "I've been fighting for months now to try to convince
> > > them to release an advisory or fix for ftpd..."
> > 
> > Of course, libc problems are a bit unfair for comparison.  Red Hat
> > runs the official CVS repository, and they probably knew about the
> > problem by mid-November or something like that (the fix was committed
> > on 2001-11-29, IIRC).
> 
> I've just found that some anonymous poster promoted the Linux Today
> comments on Debian Planet:
> 
> http://www.debianplanet.org//article.php?sid=568
> 
> At this rate Slashdot isn't far off ;-)
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Adam Warner

On Wed, 2002-01-16 at 01:07, Javier Fernández-Sanguino Peña wrote:

>   Already did it yesterday (except for th column with the data).
> See
> http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3

Please consider removing any reference to the average amount of time in
the FAQ:

"...it took the Debian Security Team an average of 35 days to fix
security-related vulnerabilites."

An average based upon a very long tail is highly misleading. Please
quote the median time to fix a vulnerability instead. This will will be
less than or equal to 10 days given this statistic:

"over 50% of the vulnerabilities where fixed in a 10-days time"

Because of this research it looks like Debian's security information
page will have to be changed:

http://www.debian.org/security/

"Debian takes security very seriously. Most security problems brought to
our attention are corrected within 48 hours."

That's just not an honest description of what's occurred. It appears
from the research that most (i.e. > 50%) of security problems are
corrected within 10 days, not 48 hours.

I still need to be able to download that spreadsheet. I have viewed the
PNG picture.

Regards,
Adam



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Adam Warner
On Tue, 2002-01-15 at 09:44, Florian Weimer wrote:
> Adam Warner <[EMAIL PROTECTED]> writes:
> 
> > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> > 
> > Someone with better knowledge of all the facts might want to comment on
> > the claim that "Debian is always the last to fix security holes" and the
> > tag team follow up "I've been fighting for months now to try to convince
> > them to release an advisory or fix for ftpd..."
> 
> Of course, libc problems are a bit unfair for comparison.  Red Hat
> runs the official CVS repository, and they probably knew about the
> problem by mid-November or something like that (the fix was committed
> on 2001-11-29, IIRC).

I've just found that some anonymous poster promoted the Linux Today
comments on Debian Planet:

http://www.debianplanet.org//article.php?sid=568

At this rate Slashdot isn't far off ;-)

Regards,
Adam



Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Javier Fernández-Sanguino Peña

On Tue, Jan 15, 2002 at 09:23:20AM +0100, Lupe Christoph wrote:
> On Monday, 2002-01-14 at 23:20:21 -0400, Peter Cordes wrote:
> > On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote:
> 
> >  I recompressed it as a real PNG, and attached it to this mail, for your
> > viewing pleasure :)  PNG gets 3.5 times better compression, probably because
> > this image only uses 8 bits of colour, and the xwd was 24bit.
> 
> I hadn't tried to view it when it first came around. As a graph,
> it is not very impressive. Hard to judge x and y for any point on
> the curve. This would probably be better done as a histogram.

Well. Take in account it was done somewhat in a hurry... IIRC
x = number of days taken to fix bug
y = number of bugs fixed
> 
> >  Someone else mentioned that this graph should go up on a website, but
> > someone else shot them down.  I think the suggestion was just for this image

I did not "shot him down" just said I did not think it
would be possible. Problem is, debiandoc-sgml has no support for inline
images.

> I still think a table and graph would be a god addition to the security
> FAQ, as an answer to the question "How long does Debian take to
> fix known vulnerabilities". Tne table could go in the FAQ, and the
> graph could be linked. (Dunno how the FAQ gets set up, but I guess
> there will be an ASCII-only version.)

Already did it yesterday (except for th column with the data).
See
http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.3


Regards

Javi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Simon Huggins

On Mon, Jan 14, 2002 at 09:53:15AM -0500, Noah L. Meyerhans wrote:
> On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
> > So perhaps Debian security is only as good as the package maintainers?
> > I'm sure most maintainers do care and do investigate bugs I probably
> > just had a bad experience.
> That is the case in unstable and testing, but not stable.

You seem to be implying I was talking about woody or sid yet the bug in
the BTS says "potato".

> That is why you're encouraged to run stable on any machine connected
> to the internet.  In its case, there is a group within Debian who is
> responsible for providing security updates in a timely manner with or
> without assistance from the package maintainer.

I should probably have emailed security-team instead of security when I
found the bug.  Ho hum.


-- 
--(   huggie: dans ton troupeau de  )--
Simon ( clef public c'est la quelle la bonne ?   ) Nomis
 Htag.pl 0.0.19


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Lupe Christoph
On Monday, 2002-01-14 at 23:20:21 -0400, Peter Cordes wrote:
> On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote:

>  I recompressed it as a real PNG, and attached it to this mail, for your
> viewing pleasure :)  PNG gets 3.5 times better compression, probably because
> this image only uses 8 bits of colour, and the xwd was 24bit.

I hadn't tried to view it when it first came around. As a graph,
it is not very impressive. Hard to judge x and y for any point on
the curve. This would probably be better done as a histogram.

>  Someone else mentioned that this graph should go up on a website, but
> someone else shot them down.  I think the suggestion was just for this image
> in particular, not that this should be done for every image-attachment on
> all lists.  Anyway, I agree that it would be cool to have this graph and the
> data available on a web site.  (With the data in a two-column ascii list,
> rather than a spreadsheet or something that needs to be downloaded and dealt
> with separately.)  Of course, then we might need to make up excuses, or
> preferably find solutions, for the exceptionally long bugs.

I still think a table and graph would be a god addition to the security
FAQ, as an answer to the question "How long does Debian take to
fix known vulnerabilities". Tne table could go in the FAQ, and the
graph could be linked. (Dunno how the FAQ gets set up, but I guess
there will be an ASCII-only version.)

I believe the most useful format would be linear for the number of bugs
fixed, and log for the time. Like this

Time (days) No of fixes
1   ?
2-3 ?
4-7 ?
8-15?
16-31   ?
etc.

I'd be *really* interested in seeing that kind of table for more OSes.
Not only Linux distributions, but also Solaris, *BSD, and Windowses.

My gut feeling is that Debian would shine in such a comparison.
Initially, I came to Debian because I had the feeling that it was
the Linux dustribution with the fastest reaction to the discovery
of vulnerabilities. Judging from BUGTRAQ.

Lupe Christoph
-- 
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a  |
| Bat-Leth contest on the holodeck. They will not concern us again.  |
| http://public.logica.com/~stepneys/joke/klingon.htm|



Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Adam Warner

On Tue, 2002-01-15 at 09:44, Florian Weimer wrote:
> Adam Warner <[EMAIL PROTECTED]> writes:
> 
> > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> > 
> > Someone with better knowledge of all the facts might want to comment on
> > the claim that "Debian is always the last to fix security holes" and the
> > tag team follow up "I've been fighting for months now to try to convince
> > them to release an advisory or fix for ftpd..."
> 
> Of course, libc problems are a bit unfair for comparison.  Red Hat
> runs the official CVS repository, and they probably knew about the
> problem by mid-November or something like that (the fix was committed
> on 2001-11-29, IIRC).

I've just found that some anonymous poster promoted the Linux Today
comments on Debian Planet:

http://www.debianplanet.org//article.php?sid=568

At this rate Slashdot isn't far off ;-)

Regards,
Adam


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-15 Thread Lupe Christoph

On Monday, 2002-01-14 at 23:20:21 -0400, Peter Cordes wrote:
> On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote:

>  I recompressed it as a real PNG, and attached it to this mail, for your
> viewing pleasure :)  PNG gets 3.5 times better compression, probably because
> this image only uses 8 bits of colour, and the xwd was 24bit.

I hadn't tried to view it when it first came around. As a graph,
it is not very impressive. Hard to judge x and y for any point on
the curve. This would probably be better done as a histogram.

>  Someone else mentioned that this graph should go up on a website, but
> someone else shot them down.  I think the suggestion was just for this image
> in particular, not that this should be done for every image-attachment on
> all lists.  Anyway, I agree that it would be cool to have this graph and the
> data available on a web site.  (With the data in a two-column ascii list,
> rather than a spreadsheet or something that needs to be downloaded and dealt
> with separately.)  Of course, then we might need to make up excuses, or
> preferably find solutions, for the exceptionally long bugs.

I still think a table and graph would be a god addition to the security
FAQ, as an answer to the question "How long does Debian take to
fix known vulnerabilities". Tne table could go in the FAQ, and the
graph could be linked. (Dunno how the FAQ gets set up, but I guess
there will be an ASCII-only version.)

I believe the most useful format would be linear for the number of bugs
fixed, and log for the time. Like this

Time (days) No of fixes
1   ?
2-3 ?
4-7 ?
8-15?
16-31   ?
etc.

I'd be *really* interested in seeing that kind of table for more OSes.
Not only Linux distributions, but also Solaris, *BSD, and Windowses.

My gut feeling is that Debian would shine in such a comparison.
Initially, I came to Debian because I had the feeling that it was
the Linux dustribution with the fastest reaction to the discovery
of vulnerabilities. Judging from BUGTRAQ.

Lupe Christoph
-- 
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a  |
| Bat-Leth contest on the holodeck. They will not concern us again.  |
| http://public.logica.com/~stepneys/joke/klingon.htm|


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Olaf Meeuwissen
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Peter Cordes <[EMAIL PROTECTED]> writes:

> [...]  To get testing better tested (by providing the service more
> people need to run it), and to get the security team familiar with
> the soon-to-be-stable release, there could be a mechanism for
> security fixes to get done on woody, etc.  I don't know what kind of
> security promises would be appropriate, or what, but I think it
> would be a good idea to do something along these lines.  Maybe
> someone should make a list of packages that the security team would
> take time to deal with in woody, and add packages to it over time.
> Starting with popular packages and/or packages classified as
> required/important might make sense.

Currently, testing is getting frozen in steps as far as I understand
the process.  What about providing proper security updates for those
parts that have already been frozen?  These would have be dealt with
in a special way to get upgraded anyway so you might as well provide
the upgrade as a proper security update.  This could also serve as a
handle for the folks who are coordinating the release process.
- -- 
Olaf Meeuwissen   Epson Kowa Corporation, Research and Development
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2   -- I hack, therefore I am -- BOFH
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 

iD8DBQE8Q7YAFsfyfWvjfZARAn2mAKCh20XSbZlJ+wjtiOJP/zGv8z3yTwCgxOlw
S0PF5uSNo7KeuY9ONzBCYl8=
=FSYR
-END PGP SIGNATURE-



Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Peter Cordes
On Mon, Jan 14, 2002 at 12:17:15PM -0700, John Galt wrote:
> 
> Okay, this has gone far enough.  The reason that s.d.o only deals with 
> stable is that stable is the only part of Debian that by it's nature 
> cannot change.  For unstable (and now testing) if there's a security bug, 
> any DD can put up a NMU if it's severe enough, or the regular maintainer 
> can fix it in a [relatively] short amount of time. It's just not feasable 
> to expect a change to propagate in stable, because stable doesn't change 
> at all, except in very small spurts: there have been 5 revisions to 
> potato in the last [going on 2] years.  THIS is the reason that there's no 
> s.d.o support for testing and unstable.  So when woody becomes stable, 
> there WILL be s.d.o support for woody, because woody won't change.  Unitl 
> they become [stagnant,stable], there is just not enough reason to have 
> s.d.o support for a distribution.

 I think this was well known already, but now that we're sure everyone knows
this, I think Micah's idea is interesting.  When things are a long way from
a freeze/release, you're right, John, it's ok to let security be handled in
the current haphazard way it does now.  However, how is the testing release
(currently woody) going to get any testing if nobody uses it because it's
security isn't good enough?  Some say you should never run unstable or
testing on a machine connected to the internet, but almost all computers are
connected to the Internet, at least as clients.  This especially applies to
the home computers of the average hacker, which is the kind of person who
would usefully test and provide feedback on woody.  A home system is
somewhere I would use a system that wasn't guaranteed to be secure, and
where I might have to shut down daemons if no security fix was available for
a problem that affected them. (of course I want my machine to be secure, but
I can live without guarantees and check on things myself.) I actually use
woody on my home NAT firewall, which also runs exim and sshd.  (These are
the only daemons allowing connections from the outside world on this
machine.)

 Hmm, if a security problem which affects unstable and/or testing, but not
stable, is found, what happens?  I presume it would get mentioned here, but
is a DSA sent out when it's fixed?  Would I have to read Bugtraq or
something to get notification as soon as it's found (so I could shut down an
insecure daemon until the problem was fixed.)  I'd rather temporarily give
up the ability to ssh into my home machine and check my email than leave it
open to attack.

> On Mon, 14 Jan 2002, Micah Anderson wrote:
> >As woody draws closer and closer to being stable, and potato draws
> >closer and closer to the legendary dinosaurs which roamed the earth
> >with regards to its outdated software, perhaps this comittment to
> >woody's security could be revisted. I would be surprised if a lot of
> >the criticsm that is coming out on this issue is not related to the
> >fact that a lot of people have moved from potato to woody because they
> >cannot continue to use potato due to the requirements of certain
> >software or underlying libraries, and are thus burned by this security
> >policy.
> >
> > [...]
> >
> >Now that woody draws near to being stable, perhaps the policy can be
> >altered to accomodate for that. 

 I agree.  To get testing better tested (by providing the service more
people need to run it), and to get the security team familiar with the
soon-to-be-stable release, there could be a mechanism for security fixes to
get done on woody, etc.  I don't know what kind of security promises would
be appropriate, or what, but I think it would be a good idea to do something
along these lines.  Maybe someone should make a list of packages that the
security team would take time to deal with in woody, and add packages to it
over time.  Starting with popular packages and/or packages classified as
required/important might make sense.

 Here's another idea: Only worry about remote exploits for non-stable dists.
Many of the security advisories apply to local security only, and don't let
a remote attacker get into the machine in the first place.  (Many of them
would help an attacker get root after getting a shell running as e.g. nobody
or http).  Only worrying about remote exploits in soon-to-be-released dists
would let a lot more people run them "safely", since a lot of home systems
are single user, or at least the other users are trusted/not skilled.
(Think family members and roommates.  If they crack your system, you can put
glue on their doorknob or a snowball in their boots :) For important servers
where you really care, like in a business environment, you would certainly
want to stick with stable, so no new holes will be introduced, nothing
breaks, etc.  For systems where you are prepared to live with a little
danger, you can run testing and give stuff a workout.  When there are known
local exploits that haven't been fixed in the dist you'

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Peter Cordes
On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote:
> It renders fine in IE.  :)

 Yeah, but it has the binary crap at the end.  It renders like that in moz
too.  (both running on the family 'doze PC while I type this mail through
PuTTY.)

> 
> The binary data is, I presume, the two files that
> Javier attached, as stated in the message:
> 
> 
> I adjoint some data:
> 
> - a Gnumeric spreadsheet with all the information
> - a PNG graphic with this year's distribution of time-to-fix (in days)
> made by
> gnuplot with the previous data
> 

 The binary crap is probably the spreadsheet by itself, but maybe the image
too.  The download link for bin0.bin is the image.  It is not PNG, but
rather a gzipped xwd.  I don't know why it's .bin instead of .xwd.gz.

 I recompressed it as a real PNG, and attached it to this mail, for your
viewing pleasure :)  PNG gets 3.5 times better compression, probably because
this image only uses 8 bits of colour, and the xwd was 24bit.


 Someone else mentioned that this graph should go up on a website, but
someone else shot them down.  I think the suggestion was just for this image
in particular, not that this should be done for every image-attachment on
all lists.  Anyway, I agree that it would be cool to have this graph and the
data available on a web site.  (With the data in a two-column ascii list,
rather than a spreadsheet or something that needs to be downloaded and dealt
with separately.)  Of course, then we might need to make up excuses, or
preferably find solutions, for the exceptionally long bugs.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE


fix-time.png
Description: PNG image


Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Olaf Meeuwissen

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Peter Cordes <[EMAIL PROTECTED]> writes:

> [...]  To get testing better tested (by providing the service more
> people need to run it), and to get the security team familiar with
> the soon-to-be-stable release, there could be a mechanism for
> security fixes to get done on woody, etc.  I don't know what kind of
> security promises would be appropriate, or what, but I think it
> would be a good idea to do something along these lines.  Maybe
> someone should make a list of packages that the security team would
> take time to deal with in woody, and add packages to it over time.
> Starting with popular packages and/or packages classified as
> required/important might make sense.

Currently, testing is getting frozen in steps as far as I understand
the process.  What about providing proper security updates for those
parts that have already been frozen?  These would have be dealt with
in a special way to get upgraded anyway so you might as well provide
the upgrade as a proper security update.  This could also serve as a
handle for the folks who are coordinating the release process.
- -- 
Olaf Meeuwissen   Epson Kowa Corporation, Research and Development
GnuPG key: 6BE37D90/AB6B 0D1F 99E7 1BF5 EB97  976A 16C7 F27D 6BE3 7D90
LPIC-2   -- I hack, therefore I am -- BOFH
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.6 

iD8DBQE8Q7YAFsfyfWvjfZARAn2mAKCh20XSbZlJ+wjtiOJP/zGv8z3yTwCgxOlw
S0PF5uSNo7KeuY9ONzBCYl8=
=FSYR
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Peter Cordes

On Mon, Jan 14, 2002 at 12:17:15PM -0700, John Galt wrote:
> 
> Okay, this has gone far enough.  The reason that s.d.o only deals with 
> stable is that stable is the only part of Debian that by it's nature 
> cannot change.  For unstable (and now testing) if there's a security bug, 
> any DD can put up a NMU if it's severe enough, or the regular maintainer 
> can fix it in a [relatively] short amount of time. It's just not feasable 
> to expect a change to propagate in stable, because stable doesn't change 
> at all, except in very small spurts: there have been 5 revisions to 
> potato in the last [going on 2] years.  THIS is the reason that there's no 
> s.d.o support for testing and unstable.  So when woody becomes stable, 
> there WILL be s.d.o support for woody, because woody won't change.  Unitl 
> they become [stagnant,stable], there is just not enough reason to have 
> s.d.o support for a distribution.

 I think this was well known already, but now that we're sure everyone knows
this, I think Micah's idea is interesting.  When things are a long way from
a freeze/release, you're right, John, it's ok to let security be handled in
the current haphazard way it does now.  However, how is the testing release
(currently woody) going to get any testing if nobody uses it because it's
security isn't good enough?  Some say you should never run unstable or
testing on a machine connected to the internet, but almost all computers are
connected to the Internet, at least as clients.  This especially applies to
the home computers of the average hacker, which is the kind of person who
would usefully test and provide feedback on woody.  A home system is
somewhere I would use a system that wasn't guaranteed to be secure, and
where I might have to shut down daemons if no security fix was available for
a problem that affected them. (of course I want my machine to be secure, but
I can live without guarantees and check on things myself.) I actually use
woody on my home NAT firewall, which also runs exim and sshd.  (These are
the only daemons allowing connections from the outside world on this
machine.)

 Hmm, if a security problem which affects unstable and/or testing, but not
stable, is found, what happens?  I presume it would get mentioned here, but
is a DSA sent out when it's fixed?  Would I have to read Bugtraq or
something to get notification as soon as it's found (so I could shut down an
insecure daemon until the problem was fixed.)  I'd rather temporarily give
up the ability to ssh into my home machine and check my email than leave it
open to attack.

> On Mon, 14 Jan 2002, Micah Anderson wrote:
> >As woody draws closer and closer to being stable, and potato draws
> >closer and closer to the legendary dinosaurs which roamed the earth
> >with regards to its outdated software, perhaps this comittment to
> >woody's security could be revisted. I would be surprised if a lot of
> >the criticsm that is coming out on this issue is not related to the
> >fact that a lot of people have moved from potato to woody because they
> >cannot continue to use potato due to the requirements of certain
> >software or underlying libraries, and are thus burned by this security
> >policy.
> >
> > [...]
> >
> >Now that woody draws near to being stable, perhaps the policy can be
> >altered to accomodate for that. 

 I agree.  To get testing better tested (by providing the service more
people need to run it), and to get the security team familiar with the
soon-to-be-stable release, there could be a mechanism for security fixes to
get done on woody, etc.  I don't know what kind of security promises would
be appropriate, or what, but I think it would be a good idea to do something
along these lines.  Maybe someone should make a list of packages that the
security team would take time to deal with in woody, and add packages to it
over time.  Starting with popular packages and/or packages classified as
required/important might make sense.

 Here's another idea: Only worry about remote exploits for non-stable dists.
Many of the security advisories apply to local security only, and don't let
a remote attacker get into the machine in the first place.  (Many of them
would help an attacker get root after getting a shell running as e.g. nobody
or http).  Only worrying about remote exploits in soon-to-be-released dists
would let a lot more people run them "safely", since a lot of home systems
are single user, or at least the other users are trusted/not skilled.
(Think family members and roommates.  If they crack your system, you can put
glue on their doorknob or a snowball in their boots :) For important servers
where you really care, like in a business environment, you would certainly
want to stick with stable, so no new holes will be introduced, nothing
breaks, etc.  For systems where you are prepared to live with a little
danger, you can run testing and give stuff a workout.  When there are known
local exploits that haven't been fixed in the dist you

Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Peter Cordes

On Mon, Jan 14, 2002 at 01:25:11PM -0500, Jeremy L. Gaddis wrote:
> It renders fine in IE.  :)

 Yeah, but it has the binary crap at the end.  It renders like that in moz
too.  (both running on the family 'doze PC while I type this mail through
PuTTY.)

> 
> The binary data is, I presume, the two files that
> Javier attached, as stated in the message:
> 
> 
> I adjoint some data:
> 
> - a Gnumeric spreadsheet with all the information
> - a PNG graphic with this year's distribution of time-to-fix (in days)
> made by
> gnuplot with the previous data
> 

 The binary crap is probably the spreadsheet by itself, but maybe the image
too.  The download link for bin0.bin is the image.  It is not PNG, but
rather a gzipped xwd.  I don't know why it's .bin instead of .xwd.gz.

 I recompressed it as a real PNG, and attached it to this mail, for your
viewing pleasure :)  PNG gets 3.5 times better compression, probably because
this image only uses 8 bits of colour, and the xwd was 24bit.


 Someone else mentioned that this graph should go up on a website, but
someone else shot them down.  I think the suggestion was just for this image
in particular, not that this should be done for every image-attachment on
all lists.  Anyway, I agree that it would be cool to have this graph and the
data available on a web site.  (With the data in a two-column ascii list,
rather than a spreadsheet or something that needs to be downloaded and dealt
with separately.)  Of course, then we might need to make up excuses, or
preferably find solutions, for the exceptionally long bugs.

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X([EMAIL PROTECTED] , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE



fix-time.png
Description: PNG image


Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Adam Warner
On Tue, 2002-01-15 at 01:41, Daniel Polombo wrote:
> Adam Warner wrote:
> 
> > On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:
> 
> >>Some of us wouldn't dare say such things without at least reviewing the
> >>given distro's security policy, FAQ and history.
> 
> > But I was really impressed that updates for unstable/testing were
> > released at the same time. For those of us that use/test the bleeding
> > edge on our systems it's a great reassurance to see the security team
> > giving consideration to the security of testing/unstable.
> 
> Well, maybe you should follow Tim's advice and go check the security team's 
> FAQ :

Weren't my comments enough for you to to be able to interpret WHY I said
I was "really impressed"? I have known and understood the security FAQ
for a long time Daniel.
 
> Q: How is security handled for testing and unstable?
> 
> A: The short answer is: it's not. Testing and unstable are rapidly moving
>targets and the security team does not have the resources needed to
>properly support those. If you want to have a secure (and stable)
>server you are strongly encouraged to stay with stable.

http://www.debian.org/security/2002/dsa-097

"This problem has been fixed in Exim version 3.12-10.2 for the stable
distribution Debian GNU/Linux 2.2 and 3.33-1.1 for the testing and
unstable distribution."

Oops the security team breached their FAQ :-)

> Of course, if you're using unstable, fixes tend to appear quickly, but :
> 
> - "tend to" is not acceptable when security is concerned
> - it may take a lot more time depending on your local mirror

Which is why I uncommented the main distribution sites in sources.list
and got the updates for testing/unstable right away. That's why I was
impressed. Because I am aware of the FAQ.

Still I hope such care about the security of testing/unstable continues
and note the comments of John Galt.

I have noticed many instances where unstable has been secure when stable
has not (before an update). Bugs that are found in Potato are not always
relevant to the quick moving new binaries and code in unstable.

I feel happy about the security of my unstable systems and am not aware
of any vulnerabilities that I have read about at Linux Weekly News that
presently affect my installations. I have had to keep up with a few
fixes to Zope in the past but there was a huge Python transition being
undertaken at the time.

Regards,
Adam




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Josip Rodin
On Mon, Jan 14, 2002 at 07:19:29PM +0100, Javier Fernández-Sanguino Peña wrote:
> > I hope you provide a cleaned-up version. .../msg00257.html is full
> > of binary crap. And the link .../bin0.bin could be stored
> > as the PNG file it is supposed to be. The way it is now, I get
> > a MIME-type of application/octet-stream, which Mozilla won't
> > display.
> 
>   As I said, attachments are not parsed correctly by the archiving
> software. And no, the spreadsheet should have been sent as a MIME
> attachment (used mutt).

Does anyone know if we can tweak mhonarc to handle this more gracefully?

-- 
 2. That which causes joy or happiness.



Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Adam Warner

On Tue, 2002-01-15 at 01:41, Daniel Polombo wrote:
> Adam Warner wrote:
> 
> > On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:
> 
> >>Some of us wouldn't dare say such things without at least reviewing the
> >>given distro's security policy, FAQ and history.
> 
> > But I was really impressed that updates for unstable/testing were
> > released at the same time. For those of us that use/test the bleeding
> > edge on our systems it's a great reassurance to see the security team
> > giving consideration to the security of testing/unstable.
> 
> Well, maybe you should follow Tim's advice and go check the security team's FAQ :

Weren't my comments enough for you to to be able to interpret WHY I said
I was "really impressed"? I have known and understood the security FAQ
for a long time Daniel.
 
> Q: How is security handled for testing and unstable?
> 
> A: The short answer is: it's not. Testing and unstable are rapidly moving
>targets and the security team does not have the resources needed to
>properly support those. If you want to have a secure (and stable)
>server you are strongly encouraged to stay with stable.

http://www.debian.org/security/2002/dsa-097

"This problem has been fixed in Exim version 3.12-10.2 for the stable
distribution Debian GNU/Linux 2.2 and 3.33-1.1 for the testing and
unstable distribution."

Oops the security team breached their FAQ :-)

> Of course, if you're using unstable, fixes tend to appear quickly, but :
> 
> - "tend to" is not acceptable when security is concerned
> - it may take a lot more time depending on your local mirror

Which is why I uncommented the main distribution sites in sources.list
and got the updates for testing/unstable right away. That's why I was
impressed. Because I am aware of the FAQ.

Still I hope such care about the security of testing/unstable continues
and note the comments of John Galt.

I have noticed many instances where unstable has been secure when stable
has not (before an update). Bugs that are found in Potato are not always
relevant to the quick moving new binaries and code in unstable.

I feel happy about the security of my unstable systems and am not aware
of any vulnerabilities that I have read about at Linux Weekly News that
presently affect my installations. I have had to keep up with a few
fixes to Zope in the past but there was a huge Python transition being
undertaken at the time.

Regards,
Adam



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Florian Weimer
Adam Warner <[EMAIL PROTECTED]> writes:

> http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> 
> Someone with better knowledge of all the facts might want to comment on
> the claim that "Debian is always the last to fix security holes" and the
> tag team follow up "I've been fighting for months now to try to convince
> them to release an advisory or fix for ftpd..."

Of course, libc problems are a bit unfair for comparison.  Red Hat
runs the official CVS repository, and they probably knew about the
problem by mid-November or something like that (the fix was committed
on 2001-11-29, IIRC).

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT  +49-711-685-5973/fax +49-711-685-5898



Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Josip Rodin

On Mon, Jan 14, 2002 at 07:19:29PM +0100, Javier Fernández-Sanguino Peña wrote:
> > I hope you provide a cleaned-up version. .../msg00257.html is full
> > of binary crap. And the link .../bin0.bin could be stored
> > as the PNG file it is supposed to be. The way it is now, I get
> > a MIME-type of application/octet-stream, which Mozilla won't
> > display.
> 
>   As I said, attachments are not parsed correctly by the archiving
> software. And no, the spreadsheet should have been sent as a MIME
> attachment (used mutt).

Does anyone know if we can tweak mhonarc to handle this more gracefully?

-- 
 2. That which causes joy or happiness.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread John Galt

Okay, this has gone far enough.  The reason that s.d.o only deals with 
stable is that stable is the only part of Debian that by it's nature 
cannot change.  For unstable (and now testing) if there's a security bug, 
any DD can put up a NMU if it's severe enough, or the regular maintainer 
can fix it in a [relatively] short amount of time. It's just not feasable 
to expect a change to propagate in stable, because stable doesn't change 
at all, except in very small spurts: there have been 5 revisions to 
potato in the last [going on 2] years.  THIS is the reason that there's no 
s.d.o support for testing and unstable.  So when woody becomes stable, 
there WILL be s.d.o support for woody, because woody won't change.  Unitl 
they become [stagnant,stable], there is just not enough reason to have 
s.d.o support for a distribution.


On Mon, 14 Jan 2002, Micah Anderson wrote:

>On Mon, 14 Jan 2002, Daniel Polombo wrote:
>
>> Adam Warner wrote:
>
>> Well, maybe you should follow Tim's advice and go check the security team's 
>> FAQ :
>> 
>>Q: How is security handled for testing and unstable?
>> 
>>A: The short answer is: it's not. Testing and unstable are rapidly moving
>>   targets and the security team does not have the resources needed to
>>   properly support those. If you want to have a secure (and stable)
>>   server you are strongly encouraged to stay with stable.
>> 
>> Of course, if you're using unstable, fixes tend to appear quickly, but :
>> 
>> - "tend to" is not acceptable when security is concerned
>> - it may take a lot more time depending on your local mirror
>
>
>As woody draws closer and closer to being stable, and potato draws
>closer and closer to the legendary dinosaurs which roamed the earth
>with regards to its outdated software, perhaps this comittment to
>woody's security could be revisted. I would be surprised if a lot of
>the criticsm that is coming out on this issue is not related to the
>fact that a lot of people have moved from potato to woody because they
>cannot continue to use potato due to the requirements of certain
>software or underlying libraries, and are thus burned by this security
>policy.
>
>Lets face it, potato has some ancient software that is getting
>outdated, you can hardly find any software that uses db2 anymore, and
>it is not trivial to backport from db3, the version of perl makes
>usage and installation of anything that was done in the last 5 years
>difficult... potato is great, if you want to only use the packages
>which come with it, it is great as a server which doesn't need any
>changes, but if you want to do anything semi-new, or outside of the
>package scope, you have to move to woody, or just wait. With that
>movement comes a significant loss in security policy. 
>
>Now that woody draws near to being stable, perhaps the policy can be
>altered to accomodate for that. 
>
>Micah
>
>
>

-- 
void hamlet()
{#define question=((bb)||(!bb))}

Who is John Galt?  [EMAIL PROTECTED] that's who!



Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Micah Anderson
On Mon, 14 Jan 2002, Daniel Polombo wrote:

> Adam Warner wrote:

> Well, maybe you should follow Tim's advice and go check the security team's 
> FAQ :
> 
>Q: How is security handled for testing and unstable?
> 
>A: The short answer is: it's not. Testing and unstable are rapidly moving
>   targets and the security team does not have the resources needed to
>   properly support those. If you want to have a secure (and stable)
>   server you are strongly encouraged to stay with stable.
> 
> Of course, if you're using unstable, fixes tend to appear quickly, but :
> 
> - "tend to" is not acceptable when security is concerned
> - it may take a lot more time depending on your local mirror


As woody draws closer and closer to being stable, and potato draws
closer and closer to the legendary dinosaurs which roamed the earth
with regards to its outdated software, perhaps this comittment to
woody's security could be revisted. I would be surprised if a lot of
the criticsm that is coming out on this issue is not related to the
fact that a lot of people have moved from potato to woody because they
cannot continue to use potato due to the requirements of certain
software or underlying libraries, and are thus burned by this security
policy.

Lets face it, potato has some ancient software that is getting
outdated, you can hardly find any software that uses db2 anymore, and
it is not trivial to backport from db3, the version of perl makes
usage and installation of anything that was done in the last 5 years
difficult... potato is great, if you want to only use the packages
which come with it, it is great as a server which doesn't need any
changes, but if you want to do anything semi-new, or outside of the
package scope, you have to move to woody, or just wait. With that
movement comes a significant loss in security policy. 

Now that woody draws near to being stable, perhaps the policy can be
altered to accomodate for that. 

Micah



Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Florian Weimer

Adam Warner <[EMAIL PROTECTED]> writes:

> http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> 
> Someone with better knowledge of all the facts might want to comment on
> the claim that "Debian is always the last to fix security holes" and the
> tag team follow up "I've been fighting for months now to try to convince
> them to release an advisory or fix for ftpd..."

Of course, libc problems are a bit unfair for comparison.  Red Hat
runs the official CVS repository, and they probably knew about the
problem by mid-November or something like that (the fix was committed
on 2001-11-29, IIRC).

-- 
Florian Weimer[EMAIL PROTECTED]
University of Stuttgart   http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT  +49-711-685-5973/fax +49-711-685-5898


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




RE: Debian security being trashed in Linux Today comments

2002-01-14 Thread Jeremy L. Gaddis
It renders fine in IE.  :)

The binary data is, I presume, the two files that
Javier attached, as stated in the message:


I adjoint some data:

- a Gnumeric spreadsheet with all the information
- a PNG graphic with this year's distribution of time-to-fix (in days)
made by
gnuplot with the previous data


j.

--
Jeremy L. Gaddis <[EMAIL PROTECTED]>

-Original Message-
From: Lupe Christoph [mailto:[EMAIL PROTECTED]
Sent: Monday, January 14, 2002 12:17 PM
To: Javier Fernández-Sanguino Peña
Cc: debian-security@lists.debian.org; [EMAIL PROTECTED]
Subject: Re: Debian security being trashed in Linux Today comments


On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña
wrote:
> On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
> > Previously Adam Warner wrote:
> > > Someone with better knowledge of all the facts might want to
comment on
> > > the claim that "Debian is always the last to fix security holes"
and the
> > > tag team follow up "I've been fighting for months now to try to
convince
> > > them to release an advisory or fix for ftpd..."

> > Someone should point them to Javier's analysis of security response
> > times..

>   Thanks' I was about to say so... BTW pointer is:
>
http://lists.debian.org/debian-security/2001/debian-security-200112/msg0
0257.html

>   I'm going to add this to the info available in the "Debian
> Security Manual" seems to be a FAQ

I hope you provide a cleaned-up version. .../msg00257.html is full
of binary crap. And the link .../bin0.bin could be stored
as the PNG file it is supposed to be. The way it is now, I get
a MIME-type of application/octet-stream, which Mozilla won't
display. Maybe you can put the text, the spreadsheet, and the
graph on a website?

Archive maintainers, what happens to attachments like those in
the mentioned mail? I don't keep debian-security mails around,
so I can't see what MIME-type the attachments had. The binary crap
must be the spreadsheet which has been inlined.

Lupe Christoph
--
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe
|
| I have challenged the entire ISO-9000 quality assurance team to a
|
| Bat-Leth contest on the holodeck. They will not concern us again.
|
| http://public.logica.com/~stepneys/joke/klingon.htm
|


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]



Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Javier Fernández-Sanguino Peña
On Mon, Jan 14, 2002 at 06:16:46PM +0100, Lupe Christoph wrote:
> 
> I hope you provide a cleaned-up version. .../msg00257.html is full
> of binary crap. And the link .../bin0.bin could be stored
> as the PNG file it is supposed to be. The way it is now, I get
> a MIME-type of application/octet-stream, which Mozilla won't
> display. Maybe you can put the text, the spreadsheet, and the
> graph on a website?

Ummm not likely.
> 
> Archive maintainers, what happens to attachments like those in
> the mentioned mail? I don't keep debian-security mails around,
> so I can't see what MIME-type the attachments had. The binary crap
> must be the spreadsheet which has been inlined.

As I said, attachments are not parsed correctly by the archiving
software. And no, the spreadsheet should have been sent as a MIME
attachment (used mutt).

Regards

Javi



Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Lupe Christoph
On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña wrote:
> On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
> > Previously Adam Warner wrote:
> > > Someone with better knowledge of all the facts might want to comment on
> > > the claim that "Debian is always the last to fix security holes" and the
> > > tag team follow up "I've been fighting for months now to try to convince
> > > them to release an advisory or fix for ftpd..."

> > Someone should point them to Javier's analysis of security response
> > times..

>   Thanks' I was about to say so... BTW pointer is:
> http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html

>   I'm going to add this to the info available in the "Debian
> Security Manual" seems to be a FAQ

I hope you provide a cleaned-up version. .../msg00257.html is full
of binary crap. And the link .../bin0.bin could be stored
as the PNG file it is supposed to be. The way it is now, I get
a MIME-type of application/octet-stream, which Mozilla won't
display. Maybe you can put the text, the spreadsheet, and the
graph on a website?

Archive maintainers, what happens to attachments like those in
the mentioned mail? I don't keep debian-security mails around,
so I can't see what MIME-type the attachments had. The binary crap
must be the spreadsheet which has been inlined.

Lupe Christoph
-- 
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a  |
| Bat-Leth contest on the holodeck. They will not concern us again.  |
| http://public.logica.com/~stepneys/joke/klingon.htm|



Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread John Galt


Okay, this has gone far enough.  The reason that s.d.o only deals with 
stable is that stable is the only part of Debian that by it's nature 
cannot change.  For unstable (and now testing) if there's a security bug, 
any DD can put up a NMU if it's severe enough, or the regular maintainer 
can fix it in a [relatively] short amount of time. It's just not feasable 
to expect a change to propagate in stable, because stable doesn't change 
at all, except in very small spurts: there have been 5 revisions to 
potato in the last [going on 2] years.  THIS is the reason that there's no 
s.d.o support for testing and unstable.  So when woody becomes stable, 
there WILL be s.d.o support for woody, because woody won't change.  Unitl 
they become [stagnant,stable], there is just not enough reason to have 
s.d.o support for a distribution.


On Mon, 14 Jan 2002, Micah Anderson wrote:

>On Mon, 14 Jan 2002, Daniel Polombo wrote:
>
>> Adam Warner wrote:
>
>> Well, maybe you should follow Tim's advice and go check the security team's 
>> FAQ :
>> 
>>Q: How is security handled for testing and unstable?
>> 
>>A: The short answer is: it's not. Testing and unstable are rapidly moving
>>   targets and the security team does not have the resources needed to
>>   properly support those. If you want to have a secure (and stable)
>>   server you are strongly encouraged to stay with stable.
>> 
>> Of course, if you're using unstable, fixes tend to appear quickly, but :
>> 
>> - "tend to" is not acceptable when security is concerned
>> - it may take a lot more time depending on your local mirror
>
>
>As woody draws closer and closer to being stable, and potato draws
>closer and closer to the legendary dinosaurs which roamed the earth
>with regards to its outdated software, perhaps this comittment to
>woody's security could be revisted. I would be surprised if a lot of
>the criticsm that is coming out on this issue is not related to the
>fact that a lot of people have moved from potato to woody because they
>cannot continue to use potato due to the requirements of certain
>software or underlying libraries, and are thus burned by this security
>policy.
>
>Lets face it, potato has some ancient software that is getting
>outdated, you can hardly find any software that uses db2 anymore, and
>it is not trivial to backport from db3, the version of perl makes
>usage and installation of anything that was done in the last 5 years
>difficult... potato is great, if you want to only use the packages
>which come with it, it is great as a server which doesn't need any
>changes, but if you want to do anything semi-new, or outside of the
>package scope, you have to move to woody, or just wait. With that
>movement comes a significant loss in security policy. 
>
>Now that woody draws near to being stable, perhaps the policy can be
>altered to accomodate for that. 
>
>Micah
>
>
>

-- 
void hamlet()
{#define question=((bb)||(!bb))}

Who is John Galt?  [EMAIL PROTECTED] that's who!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Micah Anderson

On Mon, 14 Jan 2002, Daniel Polombo wrote:

> Adam Warner wrote:

> Well, maybe you should follow Tim's advice and go check the security team's 
> FAQ :
> 
>Q: How is security handled for testing and unstable?
> 
>A: The short answer is: it's not. Testing and unstable are rapidly moving
>   targets and the security team does not have the resources needed to
>   properly support those. If you want to have a secure (and stable)
>   server you are strongly encouraged to stay with stable.
> 
> Of course, if you're using unstable, fixes tend to appear quickly, but :
> 
> - "tend to" is not acceptable when security is concerned
> - it may take a lot more time depending on your local mirror


As woody draws closer and closer to being stable, and potato draws
closer and closer to the legendary dinosaurs which roamed the earth
with regards to its outdated software, perhaps this comittment to
woody's security could be revisted. I would be surprised if a lot of
the criticsm that is coming out on this issue is not related to the
fact that a lot of people have moved from potato to woody because they
cannot continue to use potato due to the requirements of certain
software or underlying libraries, and are thus burned by this security
policy.

Lets face it, potato has some ancient software that is getting
outdated, you can hardly find any software that uses db2 anymore, and
it is not trivial to backport from db3, the version of perl makes
usage and installation of anything that was done in the last 5 years
difficult... potato is great, if you want to only use the packages
which come with it, it is great as a server which doesn't need any
changes, but if you want to do anything semi-new, or outside of the
package scope, you have to move to woody, or just wait. With that
movement comes a significant loss in security policy. 

Now that woody draws near to being stable, perhaps the policy can be
altered to accomodate for that. 

Micah


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




RE: Debian security being trashed in Linux Today comments

2002-01-14 Thread Jeremy L. Gaddis

It renders fine in IE.  :)

The binary data is, I presume, the two files that
Javier attached, as stated in the message:


I adjoint some data:

- a Gnumeric spreadsheet with all the information
- a PNG graphic with this year's distribution of time-to-fix (in days)
made by
gnuplot with the previous data


j.

--
Jeremy L. Gaddis <[EMAIL PROTECTED]>

-Original Message-
From: Lupe Christoph [mailto:[EMAIL PROTECTED]]
Sent: Monday, January 14, 2002 12:17 PM
To: Javier Fernández-Sanguino Peña
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Debian security being trashed in Linux Today comments


On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña
wrote:
> On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
> > Previously Adam Warner wrote:
> > > Someone with better knowledge of all the facts might want to
comment on
> > > the claim that "Debian is always the last to fix security holes"
and the
> > > tag team follow up "I've been fighting for months now to try to
convince
> > > them to release an advisory or fix for ftpd..."

> > Someone should point them to Javier's analysis of security response
> > times..

>   Thanks' I was about to say so... BTW pointer is:
>
http://lists.debian.org/debian-security/2001/debian-security-200112/msg0
0257.html

>   I'm going to add this to the info available in the "Debian
> Security Manual" seems to be a FAQ

I hope you provide a cleaned-up version. .../msg00257.html is full
of binary crap. And the link .../bin0.bin could be stored
as the PNG file it is supposed to be. The way it is now, I get
a MIME-type of application/octet-stream, which Mozilla won't
display. Maybe you can put the text, the spreadsheet, and the
graph on a website?

Archive maintainers, what happens to attachments like those in
the mentioned mail? I don't keep debian-security mails around,
so I can't see what MIME-type the attachments had. The binary crap
must be the spreadsheet which has been inlined.

Lupe Christoph
--
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe
|
| I have challenged the entire ISO-9000 quality assurance team to a
|
| Bat-Leth contest on the holodeck. They will not concern us again.
|
| http://public.logica.com/~stepneys/joke/klingon.htm
|


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Javier Fernández-Sanguino Peña

On Mon, Jan 14, 2002 at 06:16:46PM +0100, Lupe Christoph wrote:
> 
> I hope you provide a cleaned-up version. .../msg00257.html is full
> of binary crap. And the link .../bin0.bin could be stored
> as the PNG file it is supposed to be. The way it is now, I get
> a MIME-type of application/octet-stream, which Mozilla won't
> display. Maybe you can put the text, the spreadsheet, and the
> graph on a website?

Ummm not likely.
> 
> Archive maintainers, what happens to attachments like those in
> the mentioned mail? I don't keep debian-security mails around,
> so I can't see what MIME-type the attachments had. The binary crap
> must be the spreadsheet which has been inlined.

As I said, attachments are not parsed correctly by the archiving
software. And no, the spreadsheet should have been sent as a MIME
attachment (used mutt).

Regards

Javi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Lupe Christoph

On Monday, 2002-01-14 at 15:12:48 +0100, Javier Fernández-Sanguino Peña wrote:
> On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
> > Previously Adam Warner wrote:
> > > Someone with better knowledge of all the facts might want to comment on
> > > the claim that "Debian is always the last to fix security holes" and the
> > > tag team follow up "I've been fighting for months now to try to convince
> > > them to release an advisory or fix for ftpd..."

> > Someone should point them to Javier's analysis of security response
> > times..

>   Thanks' I was about to say so... BTW pointer is:
> http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html

>   I'm going to add this to the info available in the "Debian
> Security Manual" seems to be a FAQ

I hope you provide a cleaned-up version. .../msg00257.html is full
of binary crap. And the link .../bin0.bin could be stored
as the PNG file it is supposed to be. The way it is now, I get
a MIME-type of application/octet-stream, which Mozilla won't
display. Maybe you can put the text, the spreadsheet, and the
graph on a website?

Archive maintainers, what happens to attachments like those in
the mentioned mail? I don't keep debian-security mails around,
so I can't see what MIME-type the attachments had. The binary crap
must be the spreadsheet which has been inlined.

Lupe Christoph
-- 
| [EMAIL PROTECTED]   |http://free.prohosting.com/~lupe |
| I have challenged the entire ISO-9000 quality assurance team to a  |
| Bat-Leth contest on the holodeck. They will not concern us again.  |
| http://public.logica.com/~stepneys/joke/klingon.htm|


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Tim Haynes
"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes:

> On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
> > So perhaps Debian security is only as good as the package maintainers?
>> I'm sure most maintainers do care and do investigate bugs I probably
>> just had a bad experience.
>
> That is the case in unstable and testing, but not stable. That is why
> you're encouraged to run stable on any machine connected to the internet.
> In its case, there is a group within Debian who is responsible for
> providing security updates in a timely manner with or without assistance
> from the package maintainer.

Agreed. You have to decide for the situation at hand; as it happens, my
favourite colo swerver runs Testing, on the grounds that one of these days,
Stable will change en-masse and the last thing I want is for ssh not to
restart in my daily dist-upgrades of nearly every package on the box - the
machine came home for a bit of TLC one time and got put onto Testing so the
daily dist-upgrade only does a few packages rather than the whole lot.
In the meantime, security patches (notably only _mutt_ anyway) can come
down from Unstable.

Cheers,

~Tim
-- 




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Noah L. Meyerhans
On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
> So perhaps Debian security is only as good as the package maintainers?
> I'm sure most maintainers do care and do investigate bugs I probably
> just had a bad experience.

That is the case in unstable and testing, but not stable.  That is why
you're encouraged to run stable on any machine connected to the
internet.  In its case, there is a group within Debian who is
responsible for providing security updates in a timely manner with or
without assistance from the package maintainer.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 


pgpU5YkjWmtBQ.pgp
Description: PGP signature


Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Javier Fernández-Sanguino Peña
On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
> Previously Adam Warner wrote:
> > Someone with better knowledge of all the facts might want to comment on
> > the claim that "Debian is always the last to fix security holes" and the
> > tag team follow up "I've been fighting for months now to try to convince
> > them to release an advisory or fix for ftpd..."
> 
> Someone should point them to Javier's analysis of security response
> times..

Thanks' I was about to say so... BTW pointer is:
http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html

I'm going to add this to the info available in the "Debian
Security Manual" seems to be a FAQ

Javi



Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Simon Huggins
On Mon, Jan 14, 2002 at 12:05:34PM +, Tim Haynes wrote:
> Adam Warner <[EMAIL PROTECTED]> writes:
> > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> >
> > Someone with better knowledge of all the facts might want to comment
> > on the claim that "Debian is always the last to fix security holes"
> > and the tag team follow up "I've been fighting for months now to try
> > to convince them to release an advisory or fix for ftpd..."
> Some of us wouldn't dare say such things without at least reviewing
> the given distro's security policy, FAQ and history.

>  is over there ---> .

Indeed.  My only experience with trying to get an exploitable package
patched was rather disappointing though.

I believe (not being a Debian developer myself) that [EMAIL PROTECTED]
goes to debian-private which is only available to developers.  It then
requires the developer of the package you're reporting about to be awake
enough to /do/ something about the bug you are reporting.

I had problems with apache whose old maintainer didn't really seem to
care (bug 104187 for the gory details)

So perhaps Debian security is only as good as the package maintainers?
I'm sure most maintainers do care and do investigate bugs I probably
just had a bad experience.


-- 
--(  "Have you seen a man who's lost his luggage?"   )--
Simon (   -- Suitcase) Nomis
 Htag.pl 0.0.19



Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Tim Haynes

"Noah L. Meyerhans" <[EMAIL PROTECTED]> writes:

> On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
> > So perhaps Debian security is only as good as the package maintainers?
>> I'm sure most maintainers do care and do investigate bugs I probably
>> just had a bad experience.
>
> That is the case in unstable and testing, but not stable. That is why
> you're encouraged to run stable on any machine connected to the internet.
> In its case, there is a group within Debian who is responsible for
> providing security updates in a timely manner with or without assistance
> from the package maintainer.

Agreed. You have to decide for the situation at hand; as it happens, my
favourite colo swerver runs Testing, on the grounds that one of these days,
Stable will change en-masse and the last thing I want is for ssh not to
restart in my daily dist-upgrades of nearly every package on the box - the
machine came home for a bit of TLC one time and got put onto Testing so the
daily dist-upgrade only does a few packages rather than the whole lot.
In the meantime, security patches (notably only _mutt_ anyway) can come
down from Unstable.

Cheers,

~Tim
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Noah L. Meyerhans

On Mon, Jan 14, 2002 at 01:37:50PM +, Simon Huggins wrote:
> So perhaps Debian security is only as good as the package maintainers?
> I'm sure most maintainers do care and do investigate bugs I probably
> just had a bad experience.

That is the case in unstable and testing, but not stable.  That is why
you're encouraged to run stable on any machine connected to the
internet.  In its case, there is a group within Debian who is
responsible for providing security updates in a timely manner with or
without assistance from the package maintainer.

noah

-- 
 ___
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 



msg05231/pgp0.pgp
Description: PGP signature


Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Daniel Polombo

Adam Warner wrote:


On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:



Some of us wouldn't dare say such things without at least reviewing the
given distro's security policy, FAQ and history.



But I was really impressed that updates for unstable/testing were
released at the same time. For those of us that use/test the bleeding
edge on our systems it's a great reassurance to see the security team
giving consideration to the security of testing/unstable.



Well, maybe you should follow Tim's advice and go check the security team's FAQ 
:

   Q: How is security handled for testing and unstable?

   A: The short answer is: it's not. Testing and unstable are rapidly moving
  targets and the security team does not have the resources needed to
  properly support those. If you want to have a secure (and stable)
  server you are strongly encouraged to stay with stable.

Of course, if you're using unstable, fixes tend to appear quickly, but :

- "tend to" is not acceptable when security is concerned
- it may take a lot more time depending on your local mirror

--
Daniel



Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Adam Warner
On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:
> Adam Warner <[EMAIL PROTECTED]> writes:
> 
> > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> >
> > Someone with better knowledge of all the facts might want to comment on
> > the claim that "Debian is always the last to fix security holes" and the
> > tag team follow up "I've been fighting for months now to try to convince
> > them to release an advisory or fix for ftpd..."
> 
> Some of us wouldn't dare say such things without at least reviewing the
> given distro's security policy, FAQ and history.
> 
>  is over there ---> .

I'm aware that Debian manages to get advisories out extremely
quickly--in some cases before any other distribution. But I'm not aware
of the history of the second posters claims.

I did recently note that the latest exim advisory was released on 4
January but the fix for uncontrolled program execution was posted by
Philip Hazel on 19 December. That's no 48 hours. And the patch was even
provided in the post [in this case I suspect the post by Philip Hazel
was missed].

But I was really impressed that updates for unstable/testing were
released at the same time. For those of us that use/test the bleeding
edge on our systems it's a great reassurance to see the security team
giving consideration to the security of testing/unstable.

Regards,
Adam



Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Wichert Akkerman
Previously Adam Warner wrote:
> Someone with better knowledge of all the facts might want to comment on
> the claim that "Debian is always the last to fix security holes" and the
> tag team follow up "I've been fighting for months now to try to convince
> them to release an advisory or fix for ftpd..."

Someone should point them to Javier's analysis of security response
times..

Wichert.

-- 
  _
 /[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |



Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Javier Fernández-Sanguino Peña

On Mon, Jan 14, 2002 at 01:15:16PM +0100, Wichert Akkerman wrote:
> Previously Adam Warner wrote:
> > Someone with better knowledge of all the facts might want to comment on
> > the claim that "Debian is always the last to fix security holes" and the
> > tag team follow up "I've been fighting for months now to try to convince
> > them to release an advisory or fix for ftpd..."
> 
> Someone should point them to Javier's analysis of security response
> times..

Thanks' I was about to say so... BTW pointer is:
http://lists.debian.org/debian-security/2001/debian-security-200112/msg00257.html

I'm going to add this to the info available in the "Debian
Security Manual" seems to be a FAQ

Javi


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Tim Haynes
Adam Warner <[EMAIL PROTECTED]> writes:

> http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
>
> Someone with better knowledge of all the facts might want to comment on
> the claim that "Debian is always the last to fix security holes" and the
> tag team follow up "I've been fighting for months now to try to convince
> them to release an advisory or fix for ftpd..."

Some of us wouldn't dare say such things without at least reviewing the
given distro's security policy, FAQ and history.

 is over there ---> .

~Tim
-- 




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Simon Huggins

On Mon, Jan 14, 2002 at 12:05:34PM +, Tim Haynes wrote:
> Adam Warner <[EMAIL PROTECTED]> writes:
> > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> >
> > Someone with better knowledge of all the facts might want to comment
> > on the claim that "Debian is always the last to fix security holes"
> > and the tag team follow up "I've been fighting for months now to try
> > to convince them to release an advisory or fix for ftpd..."
> Some of us wouldn't dare say such things without at least reviewing
> the given distro's security policy, FAQ and history.

>  is over there ---> .

Indeed.  My only experience with trying to get an exploitable package
patched was rather disappointing though.

I believe (not being a Debian developer myself) that [EMAIL PROTECTED]
goes to debian-private which is only available to developers.  It then
requires the developer of the package you're reporting about to be awake
enough to /do/ something about the bug you are reporting.

I had problems with apache whose old maintainer didn't really seem to
care (bug 104187 for the gory details)

So perhaps Debian security is only as good as the package maintainers?
I'm sure most maintainers do care and do investigate bugs I probably
just had a bad experience.


-- 
--(  "Have you seen a man who's lost his luggage?"   )--
Simon (   -- Suitcase) Nomis
 Htag.pl 0.0.19


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Daniel Polombo

Adam Warner wrote:

> On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:

>>Some of us wouldn't dare say such things without at least reviewing the
>>given distro's security policy, FAQ and history.

> But I was really impressed that updates for unstable/testing were
> released at the same time. For those of us that use/test the bleeding
> edge on our systems it's a great reassurance to see the security team
> giving consideration to the security of testing/unstable.


Well, maybe you should follow Tim's advice and go check the security team's FAQ :

Q: How is security handled for testing and unstable?

A: The short answer is: it's not. Testing and unstable are rapidly moving
   targets and the security team does not have the resources needed to
   properly support those. If you want to have a secure (and stable)
   server you are strongly encouraged to stay with stable.

Of course, if you're using unstable, fixes tend to appear quickly, but :

- "tend to" is not acceptable when security is concerned
- it may take a lot more time depending on your local mirror

--
Daniel


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Adam Warner

On Tue, 2002-01-15 at 01:05, Tim Haynes wrote:
> Adam Warner <[EMAIL PROTECTED]> writes:
> 
> > http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
> >
> > Someone with better knowledge of all the facts might want to comment on
> > the claim that "Debian is always the last to fix security holes" and the
> > tag team follow up "I've been fighting for months now to try to convince
> > them to release an advisory or fix for ftpd..."
> 
> Some of us wouldn't dare say such things without at least reviewing the
> given distro's security policy, FAQ and history.
> 
>  is over there ---> .

I'm aware that Debian manages to get advisories out extremely
quickly--in some cases before any other distribution. But I'm not aware
of the history of the second posters claims.

I did recently note that the latest exim advisory was released on 4
January but the fix for uncontrolled program execution was posted by
Philip Hazel on 19 December. That's no 48 hours. And the patch was even
provided in the post [in this case I suspect the post by Philip Hazel
was missed].

But I was really impressed that updates for unstable/testing were
released at the same time. For those of us that use/test the bleeding
edge on our systems it's a great reassurance to see the security team
giving consideration to the security of testing/unstable.

Regards,
Adam


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Wichert Akkerman

Previously Adam Warner wrote:
> Someone with better knowledge of all the facts might want to comment on
> the claim that "Debian is always the last to fix security holes" and the
> tag team follow up "I've been fighting for months now to try to convince
> them to release an advisory or fix for ftpd..."

Someone should point them to Javier's analysis of security response
times..

Wichert.

-- 
  _
 [EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]




Re: Debian security being trashed in Linux Today comments

2002-01-14 Thread Tim Haynes

Adam Warner <[EMAIL PROTECTED]> writes:

> http://www.linuxtoday.com/news_story.php3?ltsn=2002-01-14-002-20-SC-DB
>
> Someone with better knowledge of all the facts might want to comment on
> the claim that "Debian is always the last to fix security holes" and the
> tag team follow up "I've been fighting for months now to try to convince
> them to release an advisory or fix for ftpd..."

Some of us wouldn't dare say such things without at least reviewing the
given distro's security policy, FAQ and history.

 is over there ---> .

~Tim
-- 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]