[SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?

[maxb]

I'm marking this as 'SOLVED'. See the edit in the OP.

[Hallvor]

I agree, but he's not a random kook.

I have not called him a random kook, either.

Have you built anything that has a Wikipedia page?

I don’t see how this is relevant, but my parents did.

Are you ranting on something that's in your area of expertise? If so, I'll pay attention even if you don't back up your claims.

Ranting is not my cup of tea, so you don’t have to worry about that. I am a historian, and valuing sources is my bread and butter. And let me tell you: This source has little value. Are you paying attention already?

If it was a peer-reviewed article with solid sources, his credibility would be through the roof. But no, he prefers to rant on Reddit with a horribly lopsided post with no sources and no objectivity. This is not to say that even a rant like this is worthless as a source, because, as a security professional, he has a certain ethos. However his claims would have to be checked one by one against other sources. I have tried to make you do that from the start, but you are seemingly unable or unwilling to do so. This leaves us with a single source of little value.

Some people care about shining light on some facts they are obsessed with more than they care about the social consequences of speaking out. If the security of Linux is as bad as he says, and he speaks about it, do you not think that "certain members" of the community will not react very negatively?

That is certainly a possibility, but where is the pattern? I am guessing he’s not the first person in history to speak out about security concerns in Debian. Have the others before him received poor treatment? If so, he is probably right. If not, the answer is probably to be found elsewhere.

About Chromium: I agree. I wouldn’t use it.

About Firefox: Your source is an anonymous blog run by someone who begs for cryptocurrency. He may still have a point, though, but it needs further investigation.

No, you haven’t solved anything because there is no connection between the question at hand and your conclusion. You ask one question, answer with something unrelated and mark the thread as solved.

The original question still stands: «Look at something like Debian where [...] only a tiny subset of security fixes receiving CVEs are backported [...].»

Where are the overall numbers? Until you bring them, your posts qualify as FUD.

While I'll continue to use Debian (no better alternative AFAICT)

Do you want to run a system where only a tiny subset of security fixes receiving CVEs are backported? Of course not. Let me tell you, Ubuntu is great. They take security seriously and have the friendliest community. You won’t regret it.

https://ubuntu.com/

[ticojohn]

I know this post has been marked as SOLVED but I would like to make a comment about Firefox-ESR security issues. I regularly read and follow the security updates to Firefox and Firefox-ESR. While it is true that Firefox has a higher major release version, Firefox-ESR receives all of the security updates that are implemented in Firefox. Yes, Firefox incorporates new features that may not be made available in Firefox-ESR and these new features sometimes warrant an update to the major version number, but those features rarely involve security updates. If one takes the time to look at the Help > About Firefox link when there are updates then one would see the validity of my statement.

As to Chromium, I have no idea. I don't, and won't, use it. But I would suspect that Chromium gets pretty much the same security updates as does Chrome.

[cynwulf]

https://tracker.debian.org/pkg/firefox-esr

Migration status for firefox-esr (78.14.0esr-1 to 91.3.0esr-1): BLOCKED

https://bugs.debian.org/998679

EGL requires at least mesa version 21.x.
Debian stable (bullseye) ships with mesa version 20.3.5

[ticojohn]

https://tracker.debian.org/pkg/firefox-esr

Migration status for firefox-esr (78.14.0esr-1 to 91.3.0esr-1): BLOCKED

And yet 78.15.0esr is the version available in Bullseye. If you look at the News that appears after the testing migrations you will see that several updates have been added to Stable and Unstable. But that's how I see it.

[fch]

Hello, I was seeing the vulnerabilities not fixed on firefox-esr, it may be scary for a lot of people, but they are all issues that really don't affect the security, take a look at this one for example:
https://www.mozilla.org/en-US/security/ ... 2021-38509
"Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected."
Maybe Debian is attacked every now and then, because of the great security team that find a lot of security vulnerabilities, meanwhile on other OSes they don't even find it. But once found, they must judge if it's really going to affect Debian or not.

[canci]

So, this entire discussion actually revolves around the sparse knowledge of hobbyists being propagated by the power of short-attention-span news and clickbait commercial platforms.

I wager that none of the opposing voices is really interested in the fact that Debian backports security fixes to older versions of packages, that not all security fixes are relevant to a specific version, etc. It's information which requires reading media longer than 150 characters and with sentences that don't start in attention grabbing hyperbole.

[sunrat]

So, this entire discussion actually revolves around the sparse knowledge of hobbyists being propagated by the power of short-attention-span news and clickbait commercial platforms.

That's how the world rolls now. Clicks are more important than facts.
https://techcrunch.com/2021/11/08/faceb ... arliament/

Quotes from a current campaign on Avaaz:

A brave whistleblower just leaked secret Facebook documents... and they're shocking!
They show that Facebook knew. They knew that human traffickers used Facebook to lure women into sexual slavery. They knew that it was being used to incite violence against minorities. And they knew their systems remove less than 1% of violent content!
Facebook knew all this, but still chose their profits over our safety.

And with no effective laws to hold Facebook accountable, dangerous actors will continue to spew lies, misinformation and climate denialism to millions, everywhere.
...
We've seen, time and again, the devastating consequences social media can have. In Myanmar, the military used Facebook as a tool for ethnic cleansing, spreading hatred that fuelled a bloodbath. In Palestine and Israel, viral lies are further inflaming the conflict. And just when we least need it, active climate denialism online is already trying to overshadow the climate emergency negotiations in Glasgow.

Then again, Abraham Lincoln said you can't believe anything on the internet.

[cynwulf]

So, this entire discussion actually revolves around the sparse knowledge of hobbyists being propagated by the power of short-attention-span news and clickbait commercial platforms.

You sir, win the thread...

I wager that none of the opposing voices is really interested in the fact that Debian backports security fixes to older versions of packages, that not all security fixes are relevant to a specific version, etc. It's information which requires reading media longer than 150 characters and with sentences that don't start in attention grabbing hyperbole.

Now, now, don't let facts get in the way of a good old fashioned troll thread...

[jlsantos]

The lead dev of GrapheneOS (praised by Snowden and Doresy) had some harsh things to say about the security of Linux and Debian in particular:

https://old.reddit.com/r/GrapheneOS/com ... d/ekzo6c0/

When people tell you that Debian is secure, it's like someone trying to claim that Windows XP with partial security updates (via their extended support) would be secure. It's just not based in any kind of reality with any actual reasoning / thought behind it.

Fair criticism, would you say?

I would say yes, but (as Daniel Micay mentioned) this can apply to any operating system—not just Debian.

Is it true that only a fraction of CVEs actually get fixed in Debian Stable? I always assumed that they all get fixed.

It is a fraction, yes, but whether or not it is a tiny fraction is up for debate. Not everything gets fixed.
There is a section in the stable release notes for bullseye about limited security support for some packages, including web browsers:

Debian 11 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes.

https://www.debian.org/releases/stable/ ... ty-support

Edit:
I cross-posted this in LQ forums also, where someone pointed me to Debian's security tracker for Chromium, which as of this writing looks pretty bad (looks like ~100 vulnerabilities in Stable): https://security-tracker.debian.org/tra ... e/chromium

Oh yes, there has been some discussion recently regarding that: https://lists.debian.org/debian-release ... 00066.html
The security team may drop security support for chromium in buster and bullseye.
There is no announcement on a decision yet, but there have been discussions about how much work is involved in trying to keep chromium up-to-date and how difficult it has been to do so.


So, yes, Micay does provide some fair criticism but it isn't exclusive to Debian. Not everything gets fixed. Whether or not it is a tiny fraction, I can't say. Debian may or may not have chromium in the next stable release.
I have been following security-tracker.debian.org more often this year, especially after reading this blog post earlier this year, "The curious case of CVE-2020-14381": https://blog.frizn.fr/linux-kernel/cve-2020-14381. It may be of interest.

[maxb]

Some people care about shining light on some facts they are obsessed with more than they care about the social consequences of speaking out. If the security of Linux is as bad as he says, and he speaks about it, do you not think that "certain members" of the community will not react very negatively?

That is certainly a possibility, but where is the pattern?

OK, if you want another example, CynWulf got so triggered by my post here that he literally went on to reply to all my recent LinuxQuestions threads (like a dozen of them), trying to harass me, accusing me of being an ignorant troll, etc. (Thanks for bumping my threads, BTW, CynWulf). And I'm just a messenger. I imagine Micay was attacked by "community members" far more for questioning the dogma that Debian provides (timely) security fixes to its software.

[sunrat]

Topic locked due to getting too silly.