Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
[SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?
- Hallvor
- Global Moderator
- Posts: 2046
- Joined: 2009-04-16 18:35
- Location: Kristiansand, Norway
- Has thanked: 152 times
- Been thanked: 213 times
Re: [SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?
I have not called him a random kook, either.I agree, but he's not a random kook.
I don’t see how this is relevant, but my parents did.Have you built anything that has a Wikipedia page?
Ranting is not my cup of tea, so you don’t have to worry about that. I am a historian, and valuing sources is my bread and butter. And let me tell you: This source has little value. Are you paying attention already?Are you ranting on something that's in your area of expertise? If so, I'll pay attention even if you don't back up your claims.
If it was a peer-reviewed article with solid sources, his credibility would be through the roof. But no, he prefers to rant on Reddit with a horribly lopsided post with no sources and no objectivity. This is not to say that even a rant like this is worthless as a source, because, as a security professional, he has a certain ethos. However his claims would have to be checked one by one against other sources. I have tried to make you do that from the start, but you are seemingly unable or unwilling to do so. This leaves us with a single source of little value.
That is certainly a possibility, but where is the pattern? I am guessing he’s not the first person in history to speak out about security concerns in Debian. Have the others before him received poor treatment? If so, he is probably right. If not, the answer is probably to be found elsewhere.Some people care about shining light on some facts they are obsessed with more than they care about the social consequences of speaking out. If the security of Linux is as bad as he says, and he speaks about it, do you not think that "certain members" of the community will not react very negatively?
About Chromium: I agree. I wouldn’t use it.
About Firefox: Your source is an anonymous blog run by someone who begs for cryptocurrency. He may still have a point, though, but it needs further investigation.
No, you haven’t solved anything because there is no connection between the question at hand and your conclusion. You ask one question, answer with something unrelated and mark the thread as solved.
The original question still stands: «Look at something like Debian where [...] only a tiny subset of security fixes receiving CVEs are backported [...].»
Where are the overall numbers? Until you bring them, your posts qualify as FUD.
Do you want to run a system where only a tiny subset of security fixes receiving CVEs are backported? Of course not. Let me tell you, Ubuntu is great. They take security seriously and have the friendliest community. You won’t regret it.While I'll continue to use Debian (no better alternative AFAICT)
https://ubuntu.com/
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD
- ticojohn
- Posts: 1284
- Joined: 2009-08-29 18:10
- Location: Costa Rica
- Has thanked: 21 times
- Been thanked: 44 times
Re: [SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?
I know this post has been marked as SOLVED but I would like to make a comment about Firefox-ESR security issues. I regularly read and follow the security updates to Firefox and Firefox-ESR. While it is true that Firefox has a higher major release version, Firefox-ESR receives all of the security updates that are implemented in Firefox. Yes, Firefox incorporates new features that may not be made available in Firefox-ESR and these new features sometimes warrant an update to the major version number, but those features rarely involve security updates. If one takes the time to look at the Help > About Firefox link when there are updates then one would see the validity of my statement.
As to Chromium, I have no idea. I don't, and won't, use it. But I would suspect that Chromium gets pretty much the same security updates as does Chrome.
As to Chromium, I have no idea. I don't, and won't, use it. But I would suspect that Chromium gets pretty much the same security updates as does Chrome.
I am not irrational, I'm just quantum probabilistic.
Re: [SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?
https://tracker.debian.org/pkg/firefox-esr
https://bugs.debian.org/998679Migration status for firefox-esr (78.14.0esr-1 to 91.3.0esr-1): BLOCKED
EGL requires at least mesa version 21.x.
Debian stable (bullseye) ships with mesa version 20.3.5
- ticojohn
- Posts: 1284
- Joined: 2009-08-29 18:10
- Location: Costa Rica
- Has thanked: 21 times
- Been thanked: 44 times
Re: [SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?
And yet 78.15.0esr is the version available in Bullseye. If you look at the News that appears after the testing migrations you will see that several updates have been added to Stable and Unstable. But that's how I see it.cynwulf wrote: ↑2021-11-08 11:20 https://tracker.debian.org/pkg/firefox-esrMigration status for firefox-esr (78.14.0esr-1 to 91.3.0esr-1): BLOCKED
I am not irrational, I'm just quantum probabilistic.
Re: [SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?
Hello, I was seeing the vulnerabilities not fixed on firefox-esr, it may be scary for a lot of people, but they are all issues that really don't affect the security, take a look at this one for example:
https://www.mozilla.org/en-US/security/ ... 2021-38509
"Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected."
Maybe Debian is attacked every now and then, because of the great security team that find a lot of security vulnerabilities, meanwhile on other OSes they don't even find it. But once found, they must judge if it's really going to affect Debian or not.
https://www.mozilla.org/en-US/security/ ... 2021-38509
"Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected."
Maybe Debian is attacked every now and then, because of the great security team that find a lot of security vulnerabilities, meanwhile on other OSes they don't even find it. But once found, they must judge if it's really going to affect Debian or not.
- canci
- Global Moderator
- Posts: 2502
- Joined: 2006-09-24 11:28
- Has thanked: 136 times
- Been thanked: 137 times
Re: [SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?
So, this entire discussion actually revolves around the sparse knowledge of hobbyists being propagated by the power of short-attention-span news and clickbait commercial platforms.
I wager that none of the opposing voices is really interested in the fact that Debian backports security fixes to older versions of packages, that not all security fixes are relevant to a specific version, etc. It's information which requires reading media longer than 150 characters and with sentences that don't start in attention grabbing hyperbole.
I wager that none of the opposing voices is really interested in the fact that Debian backports security fixes to older versions of packages, that not all security fixes are relevant to a specific version, etc. It's information which requires reading media longer than 150 characters and with sentences that don't start in attention grabbing hyperbole.
Stable / Asus VivoBook X421DA / AMD Ryzen 7 3700U / Radeon Vega Mobile Gfx (Picasso) / 8 GB RAM / 512GB NVMe
READ THIS:
* How to Post a Thread Here
* Other Tips and Great Resources
READ THIS:
* How to Post a Thread Here
* Other Tips and Great Resources
- sunrat
- Administrator
- Posts: 6591
- Joined: 2006-08-29 09:12
- Location: Melbourne, Australia
- Has thanked: 119 times
- Been thanked: 502 times
Re: [SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?
That's how the world rolls now. Clicks are more important than facts.
https://techcrunch.com/2021/11/08/faceb ... arliament/
Quotes from a current campaign on Avaaz:
Then again, Abraham Lincoln said you can't believe anything on the internet.A brave whistleblower just leaked secret Facebook documents... and they're shocking!
They show that Facebook knew. They knew that human traffickers used Facebook to lure women into sexual slavery. They knew that it was being used to incite violence against minorities. And they knew their systems remove less than 1% of violent content!
Facebook knew all this, but still chose their profits over our safety.
And with no effective laws to hold Facebook accountable, dangerous actors will continue to spew lies, misinformation and climate denialism to millions, everywhere.
...
We've seen, time and again, the devastating consequences social media can have. In Myanmar, the military used Facebook as a tool for ethnic cleansing, spreading hatred that fuelled a bloodbath. In Palestine and Israel, viral lies are further inflaming the conflict. And just when we least need it, active climate denialism online is already trying to overshadow the climate emergency negotiations in Glasgow.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Re: [SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?
You sir, win the thread...
Now, now, don't let facts get in the way of a good old fashioned troll thread...canci wrote: ↑2021-11-09 09:58I wager that none of the opposing voices is really interested in the fact that Debian backports security fixes to older versions of packages, that not all security fixes are relevant to a specific version, etc. It's information which requires reading media longer than 150 characters and with sentences that don't start in attention grabbing hyperbole.
Re: [SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?
I would say yes, but (as Daniel Micay mentioned) this can apply to any operating system—not just Debian.maxb wrote: ↑2021-10-27 02:48 The lead dev of GrapheneOS (praised by Snowden and Doresy) had some harsh things to say about the security of Linux and Debian in particular:
https://old.reddit.com/r/GrapheneOS/com ... d/ekzo6c0/
Fair criticism, would you say?When people tell you that Debian is secure, it's like someone trying to claim that Windows XP with partial security updates (via their extended support) would be secure. It's just not based in any kind of reality with any actual reasoning / thought behind it.
It is a fraction, yes, but whether or not it is a tiny fraction is up for debate. Not everything gets fixed.
There is a section in the stable release notes for bullseye about limited security support for some packages, including web browsers:
https://www.debian.org/releases/stable/ ... ty-supportDebian 11 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes.
Oh yes, there has been some discussion recently regarding that: https://lists.debian.org/debian-release ... 00066.htmlmaxb wrote: ↑2021-10-27 02:48 Edit:
I cross-posted this in LQ forums also, where someone pointed me to Debian's security tracker for Chromium, which as of this writing looks pretty bad (looks like ~100 vulnerabilities in Stable): https://security-tracker.debian.org/tra ... e/chromium
The security team may drop security support for chromium in buster and bullseye.
There is no announcement on a decision yet, but there have been discussions about how much work is involved in trying to keep chromium up-to-date and how difficult it has been to do so.
So, yes, Micay does provide some fair criticism but it isn't exclusive to Debian. Not everything gets fixed. Whether or not it is a tiny fraction, I can't say. Debian may or may not have chromium in the next stable release.
I have been following security-tracker.debian.org more often this year, especially after reading this blog post earlier this year, "The curious case of CVE-2020-14381": https://blog.frizn.fr/linux-kernel/cve-2020-14381. It may be of interest.
Re: [SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?
OK, if you want another example, CynWulf got so triggered by my post here that he literally went on to reply to all my recent LinuxQuestions threads (like a dozen of them), trying to harass me, accusing me of being an ignorant troll, etc. (Thanks for bumping my threads, BTW, CynWulf). And I'm just a messenger. I imagine Micay was attacked by "community members" far more for questioning the dogma that Debian provides (timely) security fixes to its software.Hallvor wrote: ↑2021-11-05 12:51That is certainly a possibility, but where is the pattern?Some people care about shining light on some facts they are obsessed with more than they care about the social consequences of speaking out. If the security of Linux is as bad as he says, and he speaks about it, do you not think that "certain members" of the community will not react very negatively?
- sunrat
- Administrator
- Posts: 6591
- Joined: 2006-08-29 09:12
- Location: Melbourne, Australia
- Has thanked: 119 times
- Been thanked: 502 times
Re: [SOLVED] Only a tiny fraction of vulnerabilities get fixed in Debian Stable?
Topic locked due to getting too silly.
“ computer users can be divided into 2 categories:
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!
Those who have lost data
...and those who have not lost data YET ” Remember to BACKUP!