One DD replied off-the-list, so I'll quote him without attribution:
> I understand your concern, but practicality is better then theory.
>
> (...) we will get notification when vulnerabilities are exploited, and so we
> get priority.
It's not so theoretical:
"Google is aware that an exploit
Dear Diederik,
New code fixes old bugs, but introduces new ones. Then Debian comes in and, at
some point, applies a small portion of those fixes to old code.
My problem is that debian.org/security is not telling you that. People read the
page and get the mistaken impression that all of
Dear Andrew,
My critique is NOT of how the Debian project manages updates in Stable. It's of
the decision not to inform the users of the inherent limitations of Debian's
approach, which I believe is a violation of the social contract.
Let me make some concrete proposals for debian.org/security
Davide Prina wrote:
> you must understand that who report a security problem can be a different
> person
The point is, to quote the paper:
"a vast majority of vulnerabilities and their corresponding security patches
remain beyond public exposure"
Vulnerabilities are fixed in fresh versions
Am I really the only one who thinks that it's a direct violation of the social
contract? Of course, I wouldn't expect a commercial entity in Debian's position
to be upfront with their users about the limitations of their product, but
Debian was supposed to be different, was it not?
--
Sent
Hello
Let me first say that while my message is critical, Debian is my favorite Linux
distro, and I've used many over many years. The goal of this post is to improve
the way the security information is communicated on debian.org, which I believe
is misleading.
security.debian.org starts off
6 matches
Mail list logo
