Re: possible hole in mozilla et al
q -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: possible hole in mozilla et al
q -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: possible hole in mozilla et al
I agree with Tim Uckden's comments - we don't need bleeding edge, but we also don't need some-obscure-whizzo-package-on-104-obsolete-hardware-architectures.deb holding up basic things like Apache, PHP, Perl, Mod_Perl, MySQL etc. We would be over the moon to have a mini-stable that only contained core packages, and that kept better pace with the real world. I have given this more thought since I posted my comments and it occurs to me that this is a business opportunity more then anything else. What is needed is a distro based on debian, following the same rules of safety as debian, using the same packages etc. Everything is the same except that apt-sources points to a list which contains a smaller set of platform specific packages. This list get's updated as often is possible while staying with the safety requirements of debian. As for us we decided to go with freebsd on some systems thinking it might offer security along with more frequently updated ports. So far I am not impressed with it. The ports are not as easy to use as apt, and ports are sometimes just plain old broken. If anybody has an answer I'm all ears as long as the answer does not contain the words microsoft or red or hat. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: possible hole in mozilla et al
On Wed, May 08, 2002 at 10:58:38PM +0200, Wichert Akkerman wrote: > Previously Raymond Wood wrote: > >but I would really like to see either: > > a) woody receiving security patches as soon as sid and potato; > > or > > b) no woody. > > >From a security viewpoint b) is the only option, and we have always said > so. s/woody/testing/g Otherwise that is not true. Javi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: possible hole in mozilla et al
> Coming from a corporate environment I hardly feel that stable is ancient. Also coming from a corporate environment, and one specifically focused on web technologies, I disagree. We have been forced to mix stable/testing to get basic fixes in things like Apache. Another thing that really irritates is that the commercial and non-commercial security scanning tools throw lots of 'this version is insecure' false positives which all have to be investigated and ticked once proof of patch has been established, and we run such scanning frequently. > But with Debian I can point to the unstable-testing-stable system and my > boss understands that it has already gone through a 'teething' period > before it's released. This is also one reason that we use Debian - though more important to us is the improved security through fine-grained package control. > If Debian were to accelerate the path to stable too much stable would loose > it's value to us. (unless security fixes were released for older stable > versions) The opposite is true of our company - stable lags so far behind now that we have been forced to combine stable/testing/unstable - not only in things like Apache, but even in basics like the use of netfilter stateful firewalling in the 2.4 kernel series. I agree with Tim Uckden's comments - we don't need bleeding edge, but we also don't need some-obscure-whizzo-package-on-104-obsolete-hardware-architectures.deb holding up basic things like Apache, PHP, Perl, Mod_Perl, MySQL etc. We would be over the moon to have a mini-stable that only contained core packages, and that kept better pace with the real world. -Original Message- From: James Morgan [mailto:[EMAIL PROTECTED] Sent: 09 May 2002 01:30 To: debian-security@lists.debian.org Subject: Re: possible hole in mozilla et al At 15:38 2002-05-08 -0600, Tim Uckun wrote: >The situation right now is that for production you run an ancient system >or cross your fingers, hold your breath and run unstable. Coming from a corporate environment I hardly feel that stable is ancient. With most commercial operating systems the quality control seems so poor it takes a few years before we feel comfortable moving to a new release. But with Debian I can point to the unstable-testing-stable system and my boss understands that it has already gone through a 'teething' period before it's released. If Debian were to accelerate the path to stable too much stable would loose it's value to us. (unless security fixes were released for older stable versions) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: possible hole in mozilla et al
On Thu, 2002-05-09 at 01:22, Tim Uckun wrote: > I am not arguing for any change in the policies for determining what is > stable and what is not. My feeling is (and I admit I haven't done any > studies) that stable gets delayed sometimes due to obscure packages having > bugs or obscure platform specific bugs. It seems to me that most commonly > used packages like apache, php, postgres etc have a pretty good track > record and could be considered stable a few months after they are released. > > Using the same criterea used the debian folks now you could have more > frequent updates if you simply selected a small set of carefully chosen > packages. Kind of a debian sub distro. For those that need some of the new versions of packages (EG: Being stuck with the `stable' version of postgresql would be silly if you used it heavily) it is not that difficult to get around it by having a deb-src line that points at testing. apt-get build-depends apache apt-get -b source apache It is not going to work all the time. Sometimes the build depends have to be built from testing as well... Having lots of different stable branches as suggested by someone else would make the security team pretty difficult, and it is already hard enough from what I gather. On another note... I imagine that some of the security updates for stable have caused some frustration to the security team, as the flaw is sometimes something that has been fixed in a later version, and applying that fix to the older (Read: Old version not maintained any more upstream) version could be non-trivial and seem a little futile when upgrading to a new version fixes the problem. -- David Stanaway signature.asc Description: This is a digitally signed message part
Re: possible hole in mozilla et al
Coming from a corporate environment I hardly feel that stable is ancient. With most commercial operating systems the quality control seems so poor it takes a few years before we feel comfortable moving to a new release. But with Debian I can point to the unstable-testing-stable system and my boss understands that it has already gone through a 'teething' period before it's released. If Debian were to accelerate the path to stable too much stable would loose it's value to us. (unless security fixes were released for older stable versions) I am not arguing for any change in the policies for determining what is stable and what is not. My feeling is (and I admit I haven't done any studies) that stable gets delayed sometimes due to obscure packages having bugs or obscure platform specific bugs. It seems to me that most commonly used packages like apache, php, postgres etc have a pretty good track record and could be considered stable a few months after they are released. Using the same criterea used the debian folks now you could have more frequent updates if you simply selected a small set of carefully chosen packages. Kind of a debian sub distro. -- Tim Uckun Mobile Intelligence Unit. -- "There are some who call me TIM?" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: possible hole in mozilla et al
At 15:38 2002-05-08 -0600, Tim Uckun wrote: The situation right now is that for production you run an ancient system or cross your fingers, hold your breath and run unstable. Coming from a corporate environment I hardly feel that stable is ancient. With most commercial operating systems the quality control seems so poor it takes a few years before we feel comfortable moving to a new release. But with Debian I can point to the unstable-testing-stable system and my boss understands that it has already gone through a 'teething' period before it's released. If Debian were to accelerate the path to stable too much stable would loose it's value to us. (unless security fixes were released for older stable versions) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: possible hole in mozilla et al
At 10:58 PM 5/8/2002 +0200, Wichert Akkerman wrote: Previously Raymond Wood wrote: >but I would really like to see either: > a) woody receiving security patches as soon as sid and potato; > or > b) no woody. From a security viewpoint b) is the only option, and we have always said so. What if. What if there were more debian distributions each of which contained a smaller subset of the master debian distribution. For example debian-server-386 debian-thinclient debian-Xclient and whatnot. There would be one master unstable and testing but numerous stable distros. The idea being that sometimes the stable distros get help up because some obscure package still has release critical bugs in it. maybe it only effects one platform but not another. Maybe by breaking the distros up into smaller chunks there would be more recent versions of stable and people would not feel the need to run testing. The situation right now is that for production you run an ancient system or cross your fingers, hold your breath and run unstable. :wq Tim Uckun US Investigations Services/Due Diligence http://www.diligence.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: possible hole in mozilla et al
Previously Raymond Wood wrote: >but I would really like to see either: > a) woody receiving security patches as soon as sid and potato; > or > b) no woody. >From a security viewpoint b) is the only option, and we have always said so. Wichert. -- _ /[EMAIL PROTECTED] This space intentionally left occupied \ | [EMAIL PROTECTED]http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: possible hole in mozilla et al
This bug has been fixed in Mozilla upstream and will be included in the 1.0 release. You can dig in Bugtraq for more info. -nicole At 15:26 on May 8, Robert Millan combined all the right letters to say: > > Hi, > > Just noticed this advisory, stating a remote vulnerability > in mozilla: > > http://sec.greymagic.com/adv/gm001-ns/ > > It claims to affect 0.9.7+ but on 1.0 all it does > is crashing my browser. > > Please CC to contact me, not subscribed. > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: possible hole in mozilla et al
On Wed, May 08, 2002 at 02:51:51PM -0400, Noah L. Meyerhans imagined: > On Wed, May 08, 2002 at 03:26:46PM +0200, Robert Millan wrote: > > http://sec.greymagic.com/adv/gm001-ns/ > > > > It claims to affect 0.9.7+ but on 1.0 all it does is > > crashing my browser. > That bug was fixed in the version of mozilla from sid, but > *not* woody. Woody appears vulnerable and had probably better > get fixed before the release. > > noah The Woody/security issue really is a systemic problem with the Debian release structure IMO. I'm sure it has been discussed to death, but I would really like to see either: a) woody receiving security patches as soon as sid and potato; or b) no woody. I think it is that simple, and the current situation is atrocious and unacceptable, from a security perspective. As far as mozilla/sid goes, my browser crashes too, which is technically a 'fix', but not a real fix. A real fix would avoid the expoit, and not crash :-) Too bad I don't code more advanced stuff - maybe someday... My $0.02, Raymond -- "You deserve to be able to cooperate openly and freely with other people who use software. You deserve free software." -Richard M. Stallman, Free Software Foundation, http://www.fsf.org pgpPucJAPdYyJ.pgp Description: PGP signature
Re: possible hole in mozilla et al
On Wed, May 08, 2002 at 03:26:46PM +0200, Robert Millan wrote: > http://sec.greymagic.com/adv/gm001-ns/ > > It claims to affect 0.9.7+ but on 1.0 all it does > is crashing my browser. That bug was fixed in the version of mozilla from sid, but *not* woody. Woody appears vulnerable and had probably better get fixed before the release. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgptd0MaR7wyr.pgp Description: PGP signature