The author brought evidence -- CVEs that aren't getting fixed in Debian repos. What's your counter-evidence? Letting software keep up with upstream is as insecure as upstream, no more or less. What's the evidence that pinning upstream to some older version and backporting some (not all) security patches and bug fixes is more secure?
The author brought evidence -- CVEs that aren't getting fixed in Debian repos. What's your counter-evidence?
Just poking around for two minutes finds counter-evidence. Let's take the two critical Wordpress vulnerabilities. He uses an archive.org page of the Wordpress package from February 7. If he actually looked in the Changelog of the Wordpress package for e.g. Jessie, he would have seen that these issues were fixed the day before in stable and two days before in sid:
So, I guess that it depends on your definition of "aren't getting fixed". But the way the author writes it, it seems that issues are lingering from weeks/months, which does not seem to be true.
The archive.org links were used at the creation of the blog post. (which was not necessarily the release date ;-) - needed to find some time to write it)
So Wordpress is an interesting example. Because the CVE assignment date has nothing to do with the release date of the patches. Wordpress doesn't request the CVE on their own.
So we're still at a 4-5 day delay (https://wordpress.org/news/2016/02/wordpress-4-4-2-security-...) for security fixes for a web-facing software. This is still far worse than just enabling automatic updates in Wordpress. I have not much problems if that would be a locally exploitable vuln, but web software usually is exploitable via web.
When it comes to web software I believe it's unacceptable to add any additional delay. (sure those bugs were not that severe, but as other examples in the blog show the problem with delayed or never updated packages is inherent)
> This is still far worse than just enabling automatic updates in Wordpress.
A webapp updating itself, having write access to its files (I see zero privilege separation in [1]) and getting updates from a hopefully not compromised source (see Linux Mint lately), that's just asking for trouble. I trust the Debian mirror infrastructure with signed packages that are updated by a privileged system user way more.
The archive.org links were used at the creation of the blog post.
I still find it disingenuous to use an archive.org link dated February 7 on February 13.
So we're still at a 4-5 day delay for security fixes for a web-facing software.
I agree that this is (far) too long. I just dislike the sensational tone of your blog post and subtle bending of facts. Linking to the Wordpress 4.4.2 release page and the Debian changelog would have been factual and convincing. Pointing to a week-old webpage, which was outdated on even the original date is just sloppy or manipulative.
Debian isn't the only distribution that exists. Sometimes you need a distribution to backport patches (read: enterprise customers that fear new features like the plague).
