Re: secure installation

On Tue, Aug 21, 2007 at 09:00:47AM +0200, Johannes Wiedersich wrote:
> Not exactly true. Debian adds security repositories to apt's sources,
> that's true. But it does _not_ automatically install them on your
> system. It was my point that debian does not by default provide an
> automated system to _install_ security updates.

Yes, a Debian default install *does* install security updates.

Please read "Selecting and Installing Software" http://d-i.alioth.debian.org/manual/en.i386/ch06s03.html#di-system-setup This step takes place after apt is configured to add external sources and, as the manual says, "Even when packages are included on the CD-ROM, the installer may still retrieve them from the mirror if the version available on the mirror is more recent than the one included on the CD-ROM."

This is not even specific for etch, it has been true for some releases already.

> So even automatic _reminders_ to install security updates are only
> enabled, if the user either installs gnome (I use kde) or specifically
> knows of and installs the appropriate tool. I have not tried
> exhaustively, but update-manager does not appear to work 'automatically'
> with kde, at least not for myself. It only works, if I start it manually
> and that's even less convenient than a simple 'aptitude update; aptitude
> upgrade'.

GNOME is the *standard* desktop environment in Debian. A default Debian installations installs both KDE and GNOME but gdm is the default window manager and when users login they get into a GNOME Desktop by default. So your "if the user either installs gnome..." conditional is moot.

> Note that I am not saying that I miss this 'automatic security'.
> Conversely, my point was that the user should be educated to know and
> care about security and should not be educated to trust any 'automatic
> security'.

Educating users also involves raising awareness that they *have* to keep their system up-to-date with security patches both to prevent local and remote exploits. The fact that KDE (or Xfce) does not have an equivalent to the update-manager is IMHO, worrisome, as users of that Desktop environment might not be as aware of this need as users of GNOME.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek

Update-manager makes a good job at highlighting security updates and explaining why are they needed. Even if it does not force users to install them.

Regards

Javier

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: Digital signature