[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Neil Williams wrote: > > How many of those affect Sarge? How many are going to make it into > Etch? Bugs of all kinds are expected in unstable and some in that list > only affect experimental. All security bugs are release critical - > that's one reason why Etch is delayed. Some do. The one I mentioned has been moved to being a "policy issue", which means it wouldn't stop Etch being released with this issue (Okay that one is pretty minor in the scheme of things, members of group staff can escalate their privileges to root, but then group staff is for "IT support staff you trust"), but worth bearing in mind just because an issue arises from a policy, doesn't make it any less wrong (not saying this specific policy is wrong, it is just illustrative of it's class). I assume similar comments might apply to bugs assigned to other "pseudo packages", I'm not up enough on Debian policies and procedures to spot the flaws in them, but I assume if the package isn't in Etch, it won't stop Etch releasing, even if it there is a relevant security issue, unless there is a special check for it being relevant before release. One interesting result of the Debian policy of not releasing packages from unstable with security vulnerabilities, is that packages with known security issues might make it into distributions based off Debian unstable, if the authors of said distro weren't extremely careful. Simon stares at his console based IRC client's security record and hurriedly types "apt-get remove rhapsody", hmm, yep it seems to be in the Ubuntu Universe. Of course they might have fixed all the problems but you'd think they would have altered the version number if they had done that. Launchpad doesn't seem to have imported/linked the relevant Debian bugs. Anyone going to use their "apt" foo, and tell us what proportion of packages in Ubuntu are too insecure to make it into Debian? But Debian policy here affects only reported bugs. It is quite possible for software to make it in without the necessary checks to detect trivial issues with the code. Debian-audit is a remarkably quiet mailing list, and I assume DDs aren't doing these things routinely (or at least weren't historically, otherwise a lot of bugs (and software) would never have made it in). Urm, I'm guilty here too, but not in any Debian specific way :( But Iceweasel on Debian Etch, with mozplugin, can be launching a whole host of multimedia apps of varying degrees of quality. Microsoft only try to make one browser secure (on only one platform, with only a small number of their own multimedia apps). I'd be very surprised if Etch desktops didn't have similar issues lurking to the Microsoft ANI issue, although it is quite possible the diversity within Debian would prevent it having similar broad exploit-ability to the ANI issue (assuming the Etch desktop ever achieved enough market share to make it worth exploiting on a wide scale).
Attachment:
signature.asc
Description: OpenPGP digital signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html