[Media] 8.04 Servers - Wikipedia

Mario Vukelic mario.vukelic at dantian.org
Thu Oct 16 07:15:37 UTC 2008 

On Thu, 2008-10-16 at 16:34 +1300, Michael Hutchinson wrote:
> If a distribution is "stable", why do updates come out for it,
> consistently? 

Basically you are asking, "why does software have bugs". There are many
answers to this, <http://www.google.de/search?q="why+does+software+have
+bugs>

> As Res has already said - packages get messed with, and
> therefore more packages need to come out. You may as well run your
> Operating System over the internet.

Look, my argument was that bugs _are_ found in upstream code,
independently from any changes that are made on the distro level. If a
security issue is found in, say, apache, then you will have to update
apache, whether your distro made changes to the upstream code or not.

I even made a quick check for the updates that were announced on the
security-announce list since September, and after a quick glance it
seems that they all were caused by bugs in the upstream code, and not in
the Ubuntu changes. (See one of my replies for that)

As I said to Res, I understand that one could make an argument that any
code changes by the distro only add more bugs on top of the upstream
bugs that exist anyway, making the problem worse. However, neither he
nor you brought the smallest fact to the table to support this. It is
equally possible that on balance, the code checks and changes by the
distro remove bugs. This is _certainly_ true for the kernel, and I doubt
that any major distro uses a vanilla kernel, since Linus himself expects
the distros to perform stabilization work.

It would be easy to support your argument by showing that the majority
of security updates in Ubuntu are caused by distro-specific changes. Or,
let me do your job for you and compare the Slackware and Ubuntu security
advisories, again in September for brevity:

Slackware,
<http://www.slackware.com/security/list.php?l=slackware-security&y=2008>

2008-09-26 - [slackware-security] mozilla-thunderbird (SSA:2008-270-01)
2008-09-25 - [slackware-security] seamonkey (SSA:2008-269-02)
2008-09-25 - [slackware-security] mozilla-firefox (SSA:2008-269-01)
2008-09-03 - [slackware-security] php (SSA:2008-247-01)


Ubuntu,
<https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-September/thread.html>

[USN-639-1] tiff vulnerability  Kees Cook 
[USN-640-1] libxml2 vulnerability  Kees Cook 
[USN-641-1] Racoon vulnerabilities  Kees Cook 
[USN-642-1] Postfix vulnerabilities  Kees Cook 
[USN-643-1] FreeType vulnerabilities  Kees Cook 
[USN-644-1] libxml2 vulnerabilities  Kees Cook 
[USN-646-1] rdesktop vulnerabilities  Jamie Strandboge 
[USN-645-1] Firefox and xulrunner vulnerabilities  Jamie Strandboge 
[USN-645-3] Firefox and xulrunner regression  Jamie Strandboge 
[USN-647-1] Thunderbird vulnerabilities  Jamie Strandboge 
[USN-648-1] nasm vulnerability  Kees Cook 


As we can see, there are 4 for Slack and 11 for Ubuntu (8.04). According
to your argument, the difference should be mainly caused by buggy Ubuntu
patches. According to my argument, a closer look is needed at the
details, so let's do that:

I would argue that we can save the time to look closely at the firefox,
seamonkey and thunderbird announcements, as they occur in both distros
and are very likely upstream fixes.

That leaves php in Slackware and tiff, libxml2, racoon, postfix,
freetype, rdesktop, and nasm in Ubuntu.

In case of php, Ubuntu uses PHP 5.x while Slackware is at 4.x, so it is
very likely that it was an upstream bug that only occurs in v4.

tiff: upstream bug
http://secunia.com/advisories/cve_reference/CVE-2008-2327/

libxml2: upstream bug
http://secunia.com/advisories/cve_reference/CVE-2008-3281/

racoon: upstream bug
http://secunia.com/advisories/cve_reference/CVE-2008-3652/

postfix: upstream bug
http://secunia.com/advisories/cve_reference/CVE-2008-3889

freetype: upstream bug
http://secunia.com/advisories/cve_reference/CVE-2008-1808

rdesktop: upstream bug
http://secunia.com/advisories/cve_reference/CVE-2008-1803

nasm: upstream bug
http://secunia.com/advisories/cve_reference/CVE-2008-2719


Now, I don't really care to find out why Slackware does not patch these
security issues in upstream code. It might be because those packages are
not included in Slackware at all, that Slackware had older/newer
versions that are not affected, or that they remain unpatched. I'm not a
user, and I don't care.

I do care, however, about intellectual honesty. Therefore, please only
bother to reply after you have done your homework and can present some
facts. (And the single Debian OpenSSH incident, as regrettable and
stupid it was, does not count as a trend.)

Regards
Mario

More information about the ubuntu-users mailing list