On Wed, Dec 22, 2021 at 09:27:57AM +0100, Agata Erminia Pennisi wrote:
> Thanks Andrey. So the future Debian Stable release will probably not
> include Chronium if the vulnerabilities are not fixed and this will also
> happen in future third party Linux distros.
>
> I think upstream developers (Go
Thanks Andrey. So the future Debian Stable release will probably not
include Chronium if the vulnerabilities are not fixed and this will also
happen in future third party Linux distros.
I think upstream developers (Google) will have an interest in fixing
vulnerabilities and potential exploits.
Th
On Wed, Dec 22, 2021 at 02:15:04AM +0100, Agata Erminia Pennisi wrote:
> Dear Max,
> I am a simple user.
> Thank you for notifying the community of the unresolved Chromium
> vulnerabilities.
> You can use official channels to report vulnerabilities.
Chromium being full of vulnerabilities is well-k
Dear Max,
I am a simple user.
Thank you for notifying the community of the unresolved Chromium
vulnerabilities.
You can use official channels to report vulnerabilities. Also, if you find
these vulnerabilities "dangerous" and underrated, report them to the
community as you did with Chronium. You mus
One DD replied off-the-list, so I'll quote him without attribution:
> I understand your concern, but practicality is better then theory.
>
> (...) we will get notification when vulnerabilities are exploited, and so we
> get priority.
It's not so theoretical:
"Google is aware that an exploit fo
Dear Diederik,
New code fixes old bugs, but introduces new ones. Then Debian comes in and, at
some point, applies a small portion of those fixes to old code.
My problem is that debian.org/security is not telling you that. People read the
page and get the mistaken impression that all of Debian's
On Monday, 20 December 2021 00:03:51 CET Max WillB wrote:
> 3. Inform the users that using anything but the latest version of the kernel
> (2) and other packages comes with inherent risks and explain them (delays
> in backporting fixes and known vulnerabilities not being disclosed)
>
> (2) https:/
Dear Andrew,
My critique is NOT of how the Debian project manages updates in Stable. It's of
the decision not to inform the users of the inherent limitations of Debian's
approach, which I believe is a violation of the social contract.
Let me make some concrete proposals for debian.org/security
Dear Max,
I am also a simple Debian user.
Debian naturally follows the free software rules of the do-ocracy.
Therefore, you can share the vulnerabilities you encounter in the software
with both the upstream developers and the dedicated security team.
In addition, the customary law of open source c
On Sun, Dec 19, 2021 at 05:37:40PM +0100, Max WillB wrote:
> Davide Prina wrote:
>
> > you must understand that who report a security problem can be a
> > different person
>
> The point is, to quote the paper:
>
> "a vast majority of vulnerabilities and their corresponding security
> patches
Davide Prina wrote:
> you must understand that who report a security problem can be a different
> person
The point is, to quote the paper:
"a vast majority of vulnerabilities and their corresponding security patches
remain beyond public exposure"
Vulnerabilities are fixed in fresh versions o
Hi,
I'm only a Debian user, so wait some more expert answers.
Probably it is better that you ask these question to the security
mailing list or user list.
On 17/12/21 07:42, Max WillB wrote:
security.debian.org starts off with "Debian takes security very seriously. "
and goes on about how gr
Am I really the only one who thinks that it's a direct violation of the social
contract? Of course, I wouldn't expect a commercial entity in Debian's position
to be upfront with their users about the limitations of their product, but
Debian was supposed to be different, was it not?
--
Sent wit
Hello
Let me first say that while my message is critical, Debian is my favorite Linux
distro, and I've used many over many years. The goal of this post is to improve
the way the security information is communicated on debian.org, which I believe
is misleading.
security.debian.org starts off wi
14 matches
Mail list logo
