mirror of
https://github.com/PrivSec-dev/privsec.dev
synced 2024-12-21 20:31:33 -05:00
More Debian greatness
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
ea078b335b
commit
3a76a77c6b
@ -12,6 +12,10 @@ You should choose a distribution which stays close to the stable upstream softwa
|
||||
|
||||
For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such [example](https://www.debian.org/security/faq#handling)) rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release.
|
||||
|
||||
In fact, in certain cases, there have been vulnerabilities introduced by Debian because of their patching process. [Bug 1633467](https://bugzilla.mozilla.org/show_bug.cgi?id=1633467) and [Bug 1679430](https://bugzilla.mozilla.org/show_bug.cgi?id=1679430) are examples of this.
|
||||
|
||||
![Upstream - Distros Gap](/upstream-distros-gap.png)
|
||||
|
||||
Holding packages back and applying interim patches is generally not a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this:
|
||||
|
||||
{{< youtube id="i8c0mg_mS7U">}}
|
||||
|
BIN
static/upstream-distros-gap.png
Normal file
BIN
static/upstream-distros-gap.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 102 KiB |
Loading…
Reference in New Issue
Block a user