Hacker News new | ask | show | jobs
by BUGHUNTER 4862 days ago
I would like to learn from others: how do you handle security with testing? I like debian testing very much, and occassionally I have the idea of using this in production, too, but I fear the responsibility to take care of many security fixes on my own. here are the high-urgency vulnarable sources for testing:

https://security-tracker.debian.org/tracker/status/release/t...

but even more surprisingly, this list for stable is even longer:

https://security-tracker.debian.org/tracker/status/release/s...

Can anybody explain this?

(Yes, I will take the shame on me and ask this on a debian mailing list, however, maybe anybody has a good explanation here...)
2 comments
meaty 4862 days ago
As follows:

1. Read the vulnerability description.

2. Ask yourself if you are vulnerable.

3. No? Don't worry about it.

4. Yes? External mitigation where possible or patch ourselves and commit back to debian (we a project member on our team).

We've not got to 4 yet, but have committed loads of fixes anyway.

link
BUGHUNTER 4862 days ago
OK, but real life (low budget) scenario is:

1. aptitude update && aptitude upgrade 2. ask yourself, if your system is vulnerable now 3. feel the good hope and go ahead.

If I had the budget / time to research every single CVE I would probably not trust repositories at all...

do YOU trust repositories?

link
meaty 4862 days ago
Yeah and that's pretty much good enough for most people.

That's what we do for our internal dev systems.

link
fulafel 4862 days ago
Yeah, security fixes are the one thing that prevents using testing for real world stuff.

Ubuntu is probably going to take care of this in their rolling model.

link