Some statements on debian.org/security are inaccurate, and many people are misled by them.release/stable
I propose replacing
"""
Debian takes security very seriously. We handle all security problems brought to our attention and ensure that they are corrected within a reasonable timeframe.
"""
with something more factual, like
"""
Debian's security updates are created by volunteers working in their spare time. Some packages may receive more attention than others. To view the current list of known unfixed vulnerabilities see https://security-tracker.debian.org/tracker/status/
"""
(Side note: It seems that NVD tends to assign "medium" severity to vulnerabilities initially, but upgrades them to "high" or "critical" later. However, Debian keeps showing the initial severity rating)
I'd also like to see information on both how to submit
vulnerabilities as well as how to contribute to getting them fixed.
Debian's security updates are created by volunteers working in their
spare time. Some packages may receive more attention than others. To
view the current list of known unfixed vulnerabilities see https://security-tracker.debian.org/tracker/status/release/stable
(Side note: It seems that NVD tends to assign "medium" severity to vulnerabilities initially, but upgrades them to "high" or "critical"
later. However, Debian keeps showing the initial severity rating)
Please send a patch, issue or mail about that separately.
This isn't entirely factual either.
Please send a patch, issue or mail about that separately.
(Side note: It seems that NVD tends to assign "medium" severity to vulnerabilities initially, but upgrades them to "high" or "critical"
later. However, Debian keeps showing the initial severity rating)
Please send a patch, issue or mail about that separately.
We are going to stop anyway at some point displaying the NVD severity, for context see #992115.
January 10, 2022 6:31:37 AM CET Salvatore Bonaccorso <carnil@debian.org> wrote:
We are going to stop anyway at some point displaying the NVD severity, for context see #992115.
As I see it, Debian should be free to display or not display NVD
ratings, but it shouldn't display the incorrect "medium" NVD ratings,
when they are actually much worse, as it's been doing. In fact, I
think it should issue a public retraction.
Any progress on my original proposal? Are the wheels in motion?
https://lists.debian.org/debian-security/2021/12/msg00002.html https://lists.debian.org/debian-security/2022/01/msg00002.html
I can't help but feel that it's a 15 second job for anyone with write
access to the site, and the reprehensibility of the current claims
should be obvious to those with a working moral compass.
max <maxwillb@mailfence.com> wrote on 14/01/2022 at 00:38:44+0100:
January 10, 2022 6:31:37 AM CET Salvatore Bonaccorso <carnil@debian.org>wrote:
for context see #992115.We are going to stop anyway at some point displaying the NVD severity,
As I see it, Debian should be free to display or not display NVD
ratings, but it shouldn't display the incorrect "medium" NVD ratings,
when they are actually much worse, as it's been doing. In fact, I
think it should issue a public retraction.
Any progress on my original proposal? Are the wheels in motion?
https://lists.debian.org/debian-security/2021/12/msg00002.html https://lists.debian.org/debian-security/2022/01/msg00002.html
I can't help but feel that it's a 15 second job for anyone with write access to the site, and the reprehensibility of the current claims
should be obvious to those with a working moral compass.
Maybe at some time you could just stop keeping on insisting on that
matter?
Regards,
--
PEB
Maybe at some time you could just stop keeping on insisting on thatmatter?
January 14, 2022 11:44:39 PM CET "Pierre-Elliott Bécue" <peb@debian.org> wrote:
Maybe at some time you could just stop keeping on insisting on that
matter?
I thought this was just an oversight, but since this is intentional,
it isn't. How can you possibly justify and continue such a flagrant misrepresentation?
"""
We handle all security problems brought to our attention and ensure that
they are corrected within a reasonable timeframe. Many advisories are coordinated with other free software vendors and are published the same day a vulnerability is made public and we also have a Security Audit team that reviews the archive looking for new or unfixed security bugs.
"""
Half a year is not "within a day", or "a reasonable timeframe".
Mislabeling "critical" NVD ratings as "medium" fits the same pattern.
if you keep being pushy, ask that you are temporarily prevented to mail debian lists
January 18, 2022 11:28:48 PM CET "Pierre-Elliott Bécue" <peb@debian.org> wrote:If you want things changed, you gotta do the work. Be a developer, join
if you keep being pushy, ask that you are temporarily prevented to mail debian listsYou didn't actually reply to my question addressed to you. All you did was publicly threaten me (and thus anyone else who might be interested in discussing this issue) with a ban. That's some shameful stuff.
And yes, if it looks like I stopped posting, it means that I was banned.
January 18, 2022 11:28:48 PM CET "Pierre-Elliott Bécue" <peb@debian.org> wrote:
if you keep being pushy, ask that you are temporarily prevented to
mail debian lists
You didn't actually reply to my question addressed to you.
All you did was publicly threaten me […] with a ban.
(and thus anyone else who might be interested in discussing this
issue)
That's some shameful stuff.
And yes, if it looks like I stopped posting, it means that I was banned.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 286 |
Nodes: | 16 (2 / 14) |
Uptime: | 84:10:39 |
Calls: | 6,495 |
Calls today: | 6 |
Files: | 12,097 |
Messages: | 5,276,894 |