Hosting Provided By

Re: secure installation

From: Johannes Wiedersich <johannes(at)physik.blm.tu-muenchen.de>
Date: Tue Aug 21 2007 - 03:00:47 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Javier Fernández-Sanguino Peña wrote:
> On Fri, Aug 17, 2007 at 10:01:54AM +0200, Johannes Wiedersich wrote:

>> PS 2: While we are at it: debian by default also does not install or
>> enable an automated system to install security updates. It is the
>> responsibility of the user to decide whether and when security updates
>> are installed.

>
> Not exactly true. If you are installing a Debian system with a network
> connection the installation system will add security.debian.org automatically
> to your sources lists and update the packages you were going to install from
> CD/DVD from that source. Automatically, unless the user goes into a
> 'power-user' configuration or the system is not connected to the network.

Not exactly true. Debian adds security repositories to apt's sources, that's true. But it does _not_ automatically install them on your system. It was my point that debian does not by default provide an automated system to _install_ security updates.

> Also, a Debian etch install of the Desktop environment (or just the GNOME
> environment) brings you 'update-manager' which *is* a system to install
> security updates if the box has been configured with a proper security source
> (which happens out of the box for most network-connected installations).
> In this case security updates are not, however, forced on you. You just get a
> gently reminder that they are available.

So even automatic _reminders_ to install security updates are only enabled, if the user either installs gnome (I use kde) or specifically knows of and installs the appropriate tool. I have not tried exhaustively, but update-manager does not appear to work 'automatically' with kde, at least not for myself. It only works, if I start it manually and that's even less convenient than a simple 'aptitude update; aptitude upgrade'.

Note that I am not saying that I miss this 'automatic security'. Conversely, my point was that the user should be educated to know and care about security and should not be educated to trust any 'automatic security'.

Johannes

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

Do you need help?

iD8DBQFGyo2fC1NzPRl9qEURAkqFAJ45dIcd+u5NpkzG6fGj+OCDAVlXmACfUGtK WZahMAPAIIUWLWW8Ch4GfYU=
=L8Qx
-----END PGP SIGNATURE-----

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Tue Aug 21 03:02:01 2007

This message: [ Message body ]
Next message: paddy(at)panici.net: "Re: secure installation"
Previous message: George: "Re: strange requests from Vanguard Securities: 53,137,138"
In reply to: Javier Fernández-Sanguino Peña: "Re: secure installation"
Next in thread: paddy(at)panici.net: "Re: secure installation"
Reply: paddy(at)panici.net: "Re: secure installation"
Reply: Javier Fernández-Sanguino Peña: "Re: secure installation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 07 2007 - 07:52:52 EDT