LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for December 4, 2008

KSM runs into patent trouble

Tux3: the other next-generation filesystem

LWN.net Weekly Edition for November 27, 2008

LWN.net Weekly Edition for November 20, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

What about Debian???

What about Debian???

Posted Mar 6, 2003 18:07 UTC (Thu) by pflugstad (subscriber, #224)
Parent article: Vulnerability disclosure and government

I've read several accounts that the Debian project was NOT given a heads up about this and had to scramble when the announcement came out to get a bug fix out ASAP.

IMO, that's wrong. If you're going to warn other distro's, such as Red Hat and SuSE, why not Debian. What, just becuase they don't pay taxes (they're non-profit) they don't get early warning. And what about the other distro's that have sizeable installed bases - was Slackware warned ahead of time? What about Mandrake?

But then, how big an installed base do you need before you get these warnings ahead of the general announcement. That's quite a can of worms to open up. All of which argues for letting everyone know all at the same time. Picking and chosing who get's to be in the know and not is just going to lead to chaos, lots of exploits and more problems.

(Log in to post comments)

What about Debian???

Posted Mar 7, 2003 20:23 UTC (Fri) by Peter (guest, #1127) [Link]

I've read several accounts that the Debian project was NOT given a heads up about this and had to scramble when the announcement came out to get a bug fix out ASAP.

That would probably be because the Debian project doesn't have any actual "employees", so it might be hard to trust that the security team can keep their mouths shut. Sure, I trust the Debian security team with that sort of thing. But the US Dept of Homeland Security probably doesn't trust them. Debian is just a band of Communists, you know.

What about Debian???

Posted Mar 14, 2003 3:38 UTC (Fri) by MLKahnt (subscriber, #6642) [Link]

While I didn't get the Sendmail advisory from DHS, I did get one a couple days later on a different matter from an address I didn't recognise and did not connect with the US government or someone else I might presume as being authoritative, claiming to be a division of the Department of Homeland Security. It honestly left me wondering if someone was trying to coax me to install some strange patch without any idea of the credibility of the source. There wasn't even some attempt at using an authoritative encrypted signature such as with PGP or GPG.

I act on alerts from CERT and from Debian - DHS will need to work *hard* to earn my trust and respect.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds