[conspire] Re: [vox] Password NOT stolen at linuxworld
rick at linuxmafia.com
Mon Aug 11 15:51:56 PDT 2003
[Ryan posted this to LUGOD's vox mailing list. I'll be sending him
a copy of this post. It turns out that the earlier surmise about
where the break-in originated was premature, but entirely new questions
have been raised, about Debian's "testing" branch (currently "sarge"):]
Quoting Ryan Castellucci (ryan+lugod at cal.net):
> On Mon, Aug 11, 2003 at 02:16:15PM -0700, Dmitriy wrote:
> > On Mon, Aug 11, 2003 at 01:42:08PM -0700, Ryan Castellucci wrote:
> > > OK, guys, here's the scoop... Somebody 0wned my system at
> > > work, running debian testing. Installed this lovely password
> > Testing is inherently insecure. _Don't_ run testing on any
> > publically accessible computers. It doesn't get security updates.
> > If you are lucky you will get one after a week. If you are not, the
> > update can range anywhere from two weeks (all conditions for going
> > into testing are satisiied and update is uploaded with normal
> > urgency) to months (like waiting for new glibc to go into testing).
> > So, I'd say you were asking to be 0wned.
> I claim IGNORANCE!!!!
> I was not aware of this, I sure wish someone had told me. I needed
> newer versions of several packages that were not available in stable.
> Would I be better off running sid in the future?
Ryan, I have this topic covered at
The Debian-testing algortithm for auto-populating "testing" from
packages in "unstable" is described in the Debian Testing FAQ,
which I have mirrored at http://linuxmafia.com/debian/testingfaq.html ,
and will clarify why _automatic_ security updates cannot fully cover
"testing". Please note emphasis: It's actually dead-simple to keep
that branch secure. You just don't get the packages auto-delivered.
Essentially, if you run "testing", you should subscribe to the
low-traffic (announce-only) debian-security-announce mailing list,
browse the alerts as they come in, and semi-manually retrieve and apply
any updates relevant to your system, as you hear about them. You
can make that easy by using "pinning" to make packages from unstable=sid
accessible via apt-get (as described in
http://linuxmafia.com/debian/tips), such that you can type (e.g.)
"apt-get -b unstable install libc6", without otherwise leaving the
Glancing through the security advisories and doing an occasional
specific apt-get of the above sort suffices to fix the perceived
security pitfall: If people weren't so spoiled by Debian Policy and the
apt tool suite, it wouldn't even be perceived as a problem, I think.
Heavens knows, it's easier to keep my testing-branch servers secure
than they were when they ran other distributions, previously.
Running testing isn't "asking to be owned". By contrast, running
testing _plus_ failing to read debian-security-announce _is_ that,
Just some perspective for you -- which Dmitriy's post did not provide,
albeit furnishing quite correct information as far as it went.
Cheers, First they came for the verbs, and I said nothing, for
Rick Moen verbing weirds language. Then, they arrival for the nouns
rick at linuxmafia.com and I speech nothing, for I no verbs. - Peter Ellis
More information about the conspire