Newbie questions about updates

[Kristian Rink]

Am Wed, 23 Aug 2006 01:20:36 -0700
schrieb Scott <geekboy at angrykeyboarder.com>:
> > needs to take some time investigating the sources of the new
> > release (even if it's just a security / maintaineance update),
> > possibly adjust patches applied to the previous version (note the
> > FF version number printed above)
> 
> Why would they be concerned with the previous version when starting
> with a new version from scratch, from fresh source code?


Because that's not what happens, usually. I don't exactly know about FF
in this case, but about several other packages maintained like this -
in those cases, Debian packages usually are made using "original"
sources and applying Debian-specific patches in order to, i.e., fix
known security holes, make the package behave in the distribution
environment (using all the libraries and features they provide), ... .
This is work to be done, so it's not at all "starting from scratch". ;)





> > But you're always free to fetch binaries from mozilla.org and
> > manually install them to /usr/local or /opt if you want to. ;)
> 
> I'm fully aware of this, thanks. ;-)

I thought so. ;)




> how wonderfully secure Linux is.  They cone across as if it's next
> simply not vulnerable to anything, period (which is pure BS...or
> ignorance...or both).


If course it is not invulnerable. No software is. But in most cases I
doubt this is because applications are more secure - it is because
several concepts of the system simply are enforcing security in a
better way. On Linux, in most cases, you work as a nonprivileged user
(i.o.w.: not "root"). Ubuntu makes running, say, a web browser or a
mail client as "root" even a little more difficult, given that you
can't just simply log in as root and then do what you want to do.
Another thing is that there are way less services up, running and
listening on a workstation installed from scratch. So the system
overally is less vulnerable to attacks that make use of weaknesses in
servers or misconfigured services (given that most of the desktop users
use Thunderbird, KMail, Evolution or something like this, probably a
Desktop Linux doesn't need to have an SMTP transport running
anymore...). 

Bottom line: The system itself (and the software) might not be "more
secure" than others. But probably the developers of the system (talking
about both Linux and Unix) have been more aware of that risks and did a
better job to protect the system itself from being compromised by an
exploit, malware or something like that. If you're not working as root,
loosing all the data in your $HOME is likely to be the worst thing to
happen in case any of your applications (Firefox...) is subject to an
external exploit, a prepared website or something like that. Installing
malware on the system itself is _way_ tougher. Try that on a Windows
workstation where most people tend to work as "Administrators"... 





> What really bugs me is when Ubuntu (or most any Linux distro)
> releases a security update to a package (say, Firefox) they announce
> the vulnerability (many days and sometimes even a few weeks) after it
> had already been announced by the the original developers (e.g.
> Mozilla, PHP, MySQL etc.) at the same time they release the package..


I don't know about Ubuntu maintainers, but in case of most Debian
packagers I know of, the way here is to examine the newly released
source code, find the modifications to fix the bug and then apply the
fixes to their code base rather than completely rebuilding the new
package (thus, package names like  "1.5.dfsg+1.5.0.6-2" - the "Debian
build" including stuff backported from 1.5.0.6"). About Debian,
however, I have seen reasonably short time passing between availability
of an update made by a third-party maintainer and having an updated
Debian package available. 




> People who are REALLY worried about security in the case of Firefox
> could point out that Windows and Mac users had been protected a while
> ago, while Linux users were left vulnerable.
 
For what I see, FF 1.5.0.6 fixed bug #346167 (see

https://bugzilla.mozilla.org/show_bug.cgi?id=346167 )

which involves Windows Media Player and is of little to no relevance in
a non-Windows environment...






> Yes, I KNOW I could download the binary immediately from Mozilla, but
> many users (especially in Ubuntu's case) don't want to mess with any
> installation program that doesn't end in ".deb".  Or even further, "a
> program they could download from Synaptic [sic]"


Of course. But people should trust their distribution inasmuch as
knowing that security-relevant updates will be around "in time". It is
this way on Debian (looking at my server dist-upgrades), and I assume
it is right this way in Ubuntu. We should, indeed, be _careful_ about
security and software updates - right now, in some cases I see a
behaviour like "there's a security update, so if we don't install it,
our system is rendered insecure!". That's not likely to make things
better... If talking about security issues, indeed we

- should check whether an announced vulnerability addresses a piece of
  software we actually use;

- if so, we should check whether the vulnerability involves a feature
  of the software we utilize (if I never really deal with media content
  and use my Firefox just for looking at text pages, the bug fixed in
  1.5.0.6 would be of no relevance to me even using MS Windows);

- if so, we should check whether the threat it poses is severe enough
  to actually deal with immediately, or whether waiting for the next
  general maintaineance / security update is acceptable;

- if so, we should see found out if there's a known workaround to fix
  the problem without installing an update;

- if not (and only then), we should install the security update
  immediately.


I am no friend of installing updates (be them feature or security
updates) just because they're around on sensible machines. In my
opinion, that should be one of the basic ideas of system
administration: Firewalling should be done following a threat / risk
analysis rather than just "deploying a boxed firewall solution" and
then feeling safe - likewise, security updates should be handled with
care and checking whether they are necessary... :)

Cheers,
Kristian





-- 
Kristian Rink *  http://zimmer428.net * jab: kawazu at jabber.ccc.de
icq: 48874445 *  fon: ++49 176 2447 2771
"One dreaming alone, it will be only a dream; many dreaming together
is the beginning of a new reality." (Hundertwasser)