Debian "Testing" Security


Date: Thu, 26 Sep 2002 13:53:30 -0700
From: Rick Moen (rick@linuxmafia.com)
To: ilug@linux.ie
Subject: Debian "testing's" security updates, revisited
User-Agent: Mutt/1.4i

Quoting Gavin's mail with permission.

----- Forwarded message from Rick Moen (rick@linuxmafia.com) -----

Date: Thu, 26 Sep 2002 11:53:59 -0700
From: Rick Moen (rick@linuxmafia.com)
To: Gavin McCullagh (gavin@fiachra.ucd.ie)
Subject: Re: your mail

Quoting Gavin McCullagh (gavin@fiachra.ucd.ie):

> just a question I didn't particularly want to bother ILUG with.
> Recently there was a conversation where someone said that security updates
> were unavailable for debian's testing distro (or at least perhaps that they
> were unreliable in there speed of availablity).
>
> You countered (if I recall correctly) that this had previously been
> the case but was no longer so. I can't recall whether sarge or woody was
> in testing at the time. I was reading something (which I wish I'd
> noted the url of) on the debian site yesterday which said something along
> the lines of that it could be up to a fortnight before sarge's security
> updates would come available and as such not to run it as a server.
>
> Nearly all of our machines here in the university are running
> regularly patched Woody so I'm not overly worried about them. However my
> own desktop is running Sarge (I didn't like the way so many things were
> unavailable in binary for potato while it was stable and vowed to use
> testing for myself thenceforth).
>
> Anyway, can you shed light on whether given that I have this line
> in my apt sources
>
> deb http://security.debian.org/ testing/updates main contrib non-free
>
> I can actually rely on my system being pretty secure.

Hullo, Gavin:

That's a very, very good question.

I know I said that about "deb http://security.debian.org/ testing/updates main contrib non-free" on the ILUG list, and at the time I believed that to be sufficient access to security updates, but recently I've become unsure.

The Debian Security Team, at http://www.debian.org/security/faq#testing, says:

Q: How is security handled for testing and unstable?

A: The short answer is: it's not. Testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, the security secretaries will try to fix problems in testing and unstable after they are fixed in the stable release.

Of course, that information might be obsolete. The existence of the security collection for testing, referenced above, argues that it's obsolete. I'm honestly not sure what to make of all this. To make very sure, I personally subscribe to DSAs (Debian Security Advisories) and try to follow up manually on ones that may affect me.

One silver lining for this cloud: It used to be that packages routinely took a fortnight to clear package quarantining from unstable into testing. But the automated quarantine heuristics have changed: They're no longer quite so simple a rule, but they also typically involve a much shorter time period (usually 1-2 days).

Of course, there is no guarantee that a package maintainer will perform a timely security patch and include it in new uploads to unstable. In theory, the Security Team's packages are your safety net, in case such as maintainer doesn't do that task. That is part of the reason why I both add that testing-security line to sources.list and attentively read the DSAs (Debian Security Advisories).

Sorry I can't give you a more-definitive answer. I happen to subscribe to the debian-security mailing list (as well), so I really ought to post there, asking for clarification.

Debian developer Joey Hess maintains a page of thus-far-unfixed security bugs that people on the testing branch need to worry about: http://merkel.debian.org/~joeyh/testing-security.html

I also really ought to post this back to ILUG, if only as a qualifier to the earlier statement I made, there. Since I've quoted your private mail in this reply, I'll do so only if you say you don't mind.

----- End forwarded message -----



I followed up by posting this query to the debian-security mailing list, but received no reply, so the FAQ entry (http://www.debian.org/security/faq#testing) quoted above still seems the most definitive answer.



From rick Tue Oct 15 08:06:28 2002
Date: Tue, 15 Oct 2002 08:06:28 -0700
To: debian-security@lists.debian.org
Subject: Re: Vulnerabilities found by Nessus

Quoting Yven Leist (leist@beldesign.de):

> PS: I hope you are aware of the fact that testing is security-wise
> really the worst distribution to run, much worse than unstable!

This is what I've always understood to be the case: Package quarantining means you don't get new software immediately upon inclusion in unstable, and the Debian Security Team doesn't have DSAs and patched releases for it. So we've always been told.

I'm curious, though, what this is?
deb http://security.debian.org testing/updates main contrib non-free

In other words, although there aren't DSAs for its contents, the security.debian.org host does include a branch for "testing", and that branch does furnish packages on occasion. What's the deal?


Date: Tue, 22 Oct 2002 17:56:36 +0200
From: "J.H.M. Dassen (Ray)" (dm@zensunni.demon.nl)
To: Debian Security (debian-security@lists.debian.org)
Subject: Re: Apache Security Release
User-Agent: Mutt/1.4i

On Tue, Oct 22, 2002 at 11:16:23 -0400, Phillip Hofmeister wrote:
> It seems to me that many recent updates have included packages for
> potato, woody, and sig (sarge?).

AFAIK it's more "a few" than it is "many".

> Is this trend going to continue?

Don't count on it.

> I thought sid/sarge was unsupported...

They are. Quoting DSA177-1 (PAM): "As stated in the Debian security team FAQ [http://www.debian.org/security/faq], testing and unstable are rapidly moving targets and the security team does not have the resources needed to properly support those. This security advisory is an exception to that rule, due to the seriousness of the problem."

HTH,
Ray



From: Stephen Gran (steve@lobefin.net)
To: debian security (debian-security@lists.debian.org)
Date: Fri, 22 Nov 2002 01:10:04 -0500
Subject: Re: security updates for testing?

This one time, at band camp, martin f krafft said:

> Help me clear up a confusion: Does a line
>
> deb http://security.debian.org testing/updates main non-free contrib
>
> in /etc/apt/sources.list provide security updates to testing, or is
> that simply carried over from when woody was frozen?
>
> In short: does Debian support security updates for testing?

In short, no. Occasionally, though, the security team will quickly move a fix in for testing if it's something particularly horrendous, and they have the resources to do it. That's why the repository is there, but I wouldn't count on it for security.



From rick Thu Jan 9 16:56:10 2003
Date: Thu, 9 Jan 2003 16:56:10 -0800
To: ilug@linux.ie
Subject: Re: Debian Sarge was Re: [ILUG] email server

Quoting Gavin McCullagh (ilug_gmc@fiachra.ucd.ie):

> One thing worth noting about Sarge (testing) as opposed to Woody
> (stable) and Sid (unstable) is it is in a sense the least secured
> distro.
>
> By this I mean that when advisories & patches come out for debian,
> they generally happen very quickly for sid (as it's the
> in-development) and woody(as it's important to keep stable secure),
> but happen later for sarge(as far as I can tell, usually when the
> fixed package through from sid).
>
> This may or may not be a problem for you. I use Sarge and have
> "pinned" all network services back to Woody to minimize the chance of
> remote exploits.

This is well, judiciously, and concisely stated. I may have to quote you, in the future (assuming you don't mind).

If you subscribe to debian-security@lists.debian.org, and have lines in /etc/apt/sources.list for both "stable" and "testing":

deb http://security.debian.org testing/updates main contrib non-free
deb http://security.debian.org stable/updates main contrib non-free

...then, the consequence is that you'll usually get needed security updates in a fairly timely fashion, and that your safety net is the fact that you're paying attention and making _sure_ you take care of advisories relevant to your system.

You and I discussed the matter on ILUG before, you may recall -- which is part of my archived note on the subject, here: http://linuxmafia.com/faq/Debian/testing-security.html


Date: Fri, 10 Jan 2003 12:40:17 +0000
From: Gavin McCullagh (gavin@fiachra.ucd.ie)
To: Rick Moen (rick@linuxmafia.com)
Subject: [offlist] Re: Debian Sarge was Re: [ILUG] email server

On Thu, 09 Jan 2003, Rick Moen wrote:

> This is well, judiciously, and concisely stated. I may have to quote
> you, in the future (assuming you don't mind).

Not at all, I'm flattered.

> You and I discussed the matter on ILUG before, you may recall -- which
> is part of my archived note on the subject, here:
> http://linuxmafia.com/faq/Debian/testing-security.html

Where do you think I got the info! Loopback quoting!

Gavin



From: "Mark L. Kahnt" (kahnt@hosehead.dyndns.org)
To: List - Debian Security (debian-security@lists.debian.org)
Subject: Re: Sarge freeze and security updates
Organization: ML Kahnt New Markets Consulting
X-Mailer: Ximian Evolution 1.2.2
Date: 23 Feb 2003 01:35:22 -0500

On Sat, 2003-02-22 at 23:46, Hanasaki JiJi wrote:
> Sarge is frozen? and has some security issues becaseu of this?
>
> is this true <ref: perl>?

Sarge is not frozen, but it is not getting updates from Sid because of several packages there which aren't ready to be moved to Sarge, and which most everything else in Sid depends on. Right now, libc6 is not *ready for prime time*, but I hear there are some critical problems in other areas, with possibly perl being one of them (not sure if it is awaiting libc6, or if there has been something in it itself that is a problem.) The result is some 1700 packages ready to move forward except that their current dependencies are not ready. This includes Gnome 2.2 and KDE 3.1, gcc 3.2 (the C++ section is not steady yet, last I heard,) and iirc, the newest edition of X11.

There is a side effect that this means that few of the security fixes are making it through to Sarge, either. There is talk about using the security update system to produce security releases for Sarge, but those responsible for Sid are concerned about package numbering, among other problems, and are reluctant to see that implemented, as this situation is really a rarity (a perfect storm of stalled dependencies in Sid blocking so much concurrently.)


From: Adrian 'Dagurashibanipal' von Bidder (avbidder@fortytwo.ch)
To: List - Debian Security (debian-security@lists.debian.org)
Subject: Re: Sarge freeze and security updates
X-Mailer: Ximian Evolution 1.2.2
Date: 24 Feb 2003 10:13:57 +0100

On Sun, 2003-02-23 at 19:25, Simon Huggins wrote:

> I don't see why people are worried about numbering for security
> patches for testing. Why wouldn't they be done in the same way that
> security patches are done at the moment? i.e 1.2.3-1.sarge.1 as the
> security fix for 1.2.3-1

Simple problem:

foo 1.2-1 is in stable
foo 1.3-1 in testing
foo 1.4-1 is in unstable

Security problem.

foo 1.2-1.woody.1 goes to stable
foo 1.3-1.sarge.1 goes to testing

unstable is not fixed because the security patch for 1.3 does not apply cleanly, and anyway, it is expected that upsteam fixes this soon.

Now, foo 1.4-1 moves to testing with the security problem still unfixed. Damn.

In other words: all security problems would have to be closely watched for unstable, too, and this is not really possible. Yes, in many cases it wouldn't happen because the fix goes to both stable and unstable, but the case above will happen, and testing users with security updates would feel a safety that they don't have.

cheers
-- vbi


Date: Wed, 8 Sep 2004 09:06:02 -0700
To: ilug@linux.ie
From: Rick Moen (rick@linuxmafia.com)
Subject: Re: [ILUG] Going to try debian

Quoting Niall Walsh (linux@esatclear.ie):

> I'm fairly certain Debian only releases security advisories for
> packages in stable. If an issue doesn't effect stable, no advisory
> will be released, and the problem will simply be fixed by a
> urgency=high upload to unstable.

This is an excellent point, and points out the biggest drawback of keeping a system on the "testing" branch, even one with easy access to "unstable" packages, whose owner attentively skim-reads all Debian Security Advisories: You might _still_ be unaware of an suddenly urgent need, on account of a security emergency, to do

# apt-get update && apt-get -t unstable install [packagename]

...to plug that package's security hole.

What would really be handy, in fact, would be an automated announce-only "alert" mailing list sending out all changelogs of urgency=high uploads to unstable. Pity it doesn't exist (to my knowledge). I might try to create one.