Hosting Provided By

Re: secure installation

From: Johannes Wiedersich <johannes(at)physik.blm.tu-muenchen.de>
Date: Tue Aug 21 2007 - 11:13:43 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Javier Fernández-Sanguino Peña wrote:
> On Tue, Aug 21, 2007 at 09:00:47AM +0200, Johannes Wiedersich wrote:

>> Not exactly true. Debian adds security repositories to apt's sources,
>> that's true. But it does _not_ automatically install them on your
>> system. It was my point that debian does not by default provide an
>> automated system to _install_ security updates.

>
> Yes, a Debian default install *does* install security updates.

Only at the installation. It does *not* automatically install security updates on a regular basis, and that was my point. Read my mail again.

>> So even automatic _reminders_ to install security updates are only
>> enabled, if the user either installs gnome (I use kde) or specifically
>> knows of and installs the appropriate tool. I have not tried
>> exhaustively, but update-manager does not appear to work 'automatically'
>> with kde, at least not for myself. It only works, if I start it manually
>> and that's even less convenient than a simple 'aptitude update; aptitude
>> upgrade'.

>
> GNOME is the *standard* desktop environment in Debian. A default Debian
> installations installs both KDE and GNOME but gdm is the default window
> manager and when users login they get into a GNOME Desktop by default. So
> your "if the user either installs gnome..." conditional is moot.

User's choices are different. There is an official installation CD that installs kde without gnome. A *standard* installation installs neither gnome nor kde, though the desktop task may install both (haven't checked in a while).

>> Note that I am not saying that I miss this 'automatic security'.
>> Conversely, my point was that the user should be educated to know and
>> care about security and should not be educated to trust any 'automatic
>> security'.

>
> Educating users also involves raising awareness that they *have* to keep
> their system up-to-date with security patches both to prevent local and
> remote exploits. The fact that KDE (or Xfce) does not have an equivalent to
> the update-manager is IMHO, worrisome, as users of that Desktop environment
> might not be as aware of this need as users of GNOME.

I agree with the first half of that statement, but I fail to grasp why kde users (including, say Linus T.) should be less aware of security than gnome users. Are you just trying to start a flame?

Maybe the lack of an update-manager for kde just reflects the fact that kde users are more security aware and don't need as much automatic nagging. (I am not claiming that this is the case, I am just claiming that it is just as legitimate to claim the opposite of what you have been claiming. )

> Update-manager makes a good job at highlighting security updates and
> explaining why are they needed. Even if it does not force users to install
> them.

Agreed.

Do you need help?

Johannes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGywEnC1NzPRl9qEURAsQyAJ40DUCVW6tz1d4ujb0kh5S/hRqo8gCfRBQB MFclivScgKI6fKG+bFb7Aq8=
=oXmV
-----END PGP SIGNATURE-----

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Received on Tue Aug 21 11:14:26 2007

This message: [ Message body ]
Next message: Rene Mayrhofer: "Re: Secure Installation"
Previous message: Javier Fernández-Sanguino Peña: "Re: Secure Installation"
In reply to: Javier Fernández-Sanguino Peña: "Re: secure installation"
Next in thread: Javier Fernández-Sanguino Peña: "Re: secure installation"
Reply: Javier Fernández-Sanguino Peña: "Re: secure installation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 07 2007 - 07:52:53 EDT