1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-23 13:21:34 -05:00

More Debian greatness

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2022-07-17 20:58:11 -04:00
parent 96ac0a332c
commit 3d8cb277ee
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2
2 changed files with 4 additions and 0 deletions

View File

@ -12,6 +12,10 @@ You should choose a distribution which stays close to the stable upstream softwa
For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such [example](https://www.debian.org/security/faq#handling)) rather than bump the software to the “next version” released by the upstream developer. Some security fixes [do not](https://arxiv.org/abs/2105.14565) receive a [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release.
In fact, in certain cases, there have been vulnerabilities introduced by Debian because of their patching process. [Bug 1633467](https://bugzilla.mozilla.org/show_bug.cgi?id=1633467) and [Bug 1679430](https://bugzilla.mozilla.org/show_bug.cgi?id=1679430) are examples of this.
![Upstream - Distros Gap](/upstream-distros-gap.png)
Holding packages back and applying interim patches is generally not a good idea, as it diverges from the way the developer might have intended the software to work. [Richard Brown](https://rootco.de/aboutme/) has a presentation about this:
{{< youtube id="i8c0mg_mS7U">}}

Binary file not shown.

After

Width:  |  Height:  |  Size: 102 KiB