1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • Re: Concerns about Security of packages in Debain OS and the Operating

    From Paul Wise@21:1/5 to piorunz on Wed May 25 03:20:01 2022
    On Tue, 2022-05-24 at 16:27 +0100, piorunz wrote:

    Important note: Disabling bullseye-updates is actually causing
    point-release updates to be delivered on one, predetermined date,
    bundled all together. By disabling this entry you still get them all,
    but in controlled fashion, you are not "beta tester" of these packages.

    This is not exactly correct. The bullseye-updates suite should be used
    by almost all users. The only suite where you are really a beta tester
    for the next point release is bullseye-proposed-updates. The other two
    suites recieve only very important updates:

    bullseye: read-only except during point releases

    bullseye-security: receives security updates regularly

    bullseye-updates: receives occasional time-sensitive and important
    updates, such as updates to the timezone database, which often happen
    just days before the timezone changes, or fixes for packages that get completely broken by some external services on the Internet, or fixes
    for packages that were initially broken but that wasn't found. There
    are only three updates in it currently, two of them are updates to the
    timezone database and one is clamav, which sometimes needs updates so
    it can continue to pull in antivirus detections.

    https://deb.debian.org/debian/dists/bullseye-updates/main/source/Sources.xz

    bullseye-proposed-updates: the contents of the next point release;
    some changes come from bullseye-security, some from bullseye-updates
    and some from package maintainers.

    https://release.debian.org/proposed-updates/stable.html

    --
    bye,
    pabs

    https://wiki.debian.org/PaulWise

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAmKNgg4ACgkQMRa6Xp/6 aaMbrQ/9GSw9Qfbo8eQow4J2x9/4Z3CjZJYuWdBgKKuNQd36tKFJo9vu9mY0Btjm X6GO8i42nuQEppER/emAKRqwpn1vgNxAhAcNuSCwvcDFiPkXCc1+MFiOdm+Sk3FG 5T3EFYiu5uoH/NOc3dSggddpGdRtg1xSGa65cOuEj5Br3wFD1swEIWPzWSSae8NC nEdn4IrPiLTIMAZ/cWKYALQUW9DbEJ4kDQ400kTdEVIbso77nfGpRpAzK7lBSqw/ KvtGTfkCMk4US9EixcLPq2xGKUQ7beo55su2enxN4CPYhuo9TQCWKWVCreidYZb4 1ssIvnBLdttWfvSONDuv3rYaJnH9fl8S1AE5BBrWGYX6csQb74t99z4+qCTUTMhR sFFWJEl8a7xrTOvfwYNV0q9j9NnaaWzhhvCW2LfIY9Ku9wiqCIqbI5R73nlvVCBs eYgtIvuK75A1jJSQypEdjeySzZzfxpjHcMWRIZY/8/iQNlIH1K+40evQuLloEvLg GbUdTtJRSDe4mARvc758pEDtu1fABblPTPsN5J1SGBwHStuFbeu5I3Kl6m26HQMI sFlBZm20Uj+wdoNqzcd8PtbQ2cqwWuHxhakNRPTS/VrE19hVF6Qb7QqO1CDktLy0 gYTkOIj2iTVZRNGwK8YpNnycaqNCnVHQdYUvRGaP3x6svp+x3yQ=
    =tGNP
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From piorunz@21:1/5 to Paul Wise on Wed May 25 14:10:01 2022
    Hi Paul,

    On 25/05/2022 02:10, Paul Wise wrote:

    bullseye-updates: receives occasional time-sensitive and important
    updates, such as updates to the timezone database, which often happen
    just days before the timezone changes, or fixes for packages that get completely broken by some external services on the Internet, or fixes
    for packages that were initially broken but that wasn't found.

    All what you described here is not important for OP who wants to reduce
    his attack surface from malicious developer attack scenario.
    And I argue, not important for typical security conscious home user either.

    There
    are only three updates in it currently, two of them are updates to the timezone database and one is clamav, which sometimes needs updates so
    it can continue to pull in antivirus detections.

    All of them will land in "bullseye" repository on point release. Correct?

    My system will learn timezone changes in (for example) Barbados,
    Seychelles or elsewhere when time comes for point release. I don't need
    it now, I don't live there.
    Same goes when user does not use ClamAV: No need for antivirus definitions.
    And when very rare occasion will occur that software in Stable will
    suddenly broke due to server side updates of some software, user can
    always stop, think and investigate. No need to keep bullseye-updates
    enabled 24/7/365 and never use it (if we exclude timezone updates,
    antivirus definitions, there is nothing really urging users to enable
    this repository). This would be widening exposure surface without any
    real benefit.
    Situation like this happened recently, Telegram has cut-off old client
    versions on server side, Telegram bullseye stopped working. Soon after maintainer dropped new Telegram to bullseye-backports, so people could
    upgrade in controlled fashion. Please notice that having
    bullseye-updates would not help in this example.


    https://deb.debian.org/debian/dists/bullseye-updates/main/source/Sources.xz

    bullseye-proposed-updates: the contents of the next point release;
    some changes come from bullseye-security, some from bullseye-updates
    and some from package maintainers.

    That's Stable's "beta testing" for sure. I didn't mentioned that to the
    OP, I don't use it myself.

    https://release.debian.org/proposed-updates/stable.html



    --
    With kindest regards, Piotr.

    ⢀⣴⠾⠻⢶⣦⠀
    ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/
    ⠈⠳⣄⠀⠀⠀⠀

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)