Web lists-archives.com

Re: What can Debian do to provide complex applications to its users?

 ❦ 19 février 2018 20:36 +0200, Adrian Bunk <bunk@xxxxxxxxxx> :

>> Debian is not only about security support. We provide packages without
>> security support. We also have backports that come without security
>> support either. This is still better than installing random packages
>> made by random people which may or may not integrate properly into
>> Debian.
> The software might integrate properly into Debian - and allow everyone 
> on the internet to take control of your computer.
> On the server side we are talking about software like Node.js or gitlab.
> On the desktop side the MUA that comes with our default desktop renders
> HTML emails using a web engine that is not security supported by Debian.
> An example what "no security support" means in practice:
> If you are running Debian stable and haven't yet installed the
> LibreOffice security updates Debian published a few days ago,
> then opening a document is sufficient to make LibreOffice silently
> send your gpg and ssh private keys to whatever server the author
> of that document wants - no dialog, no warnings, you won't notice.
> If Debian would provide LibreOffice without security support,
> how many of our users would have been aware of this problem?

I don't know what's your point. You acknowledge we already ship not
security supported software. We could put a large dialog box when
installing/upgrading LibreOffice, like for other not security supported
software. Or we could put those software in a special repository (called
"unsupported"), a bit like backports that are not security supported

Ubuntu does that since many years (everything in universe/multiverse is
unsupported) and nobody cares.
Use variable names that mean something.
            - The Elements of Programming Style (Kernighan & Plauger)

Attachment: signature.asc
Description: PGP signature