[H-GEN] security update mailing lists?

Russell Stuart russell at stuart.id.au
Thu Jul 13 03:27:01 EDT 2006


On 13/07/2006 4:21 PM, Troy Piggins wrote:
> I just subscribed to a ubuntu-security-announce mailing list.  Would
> this be sufficient or are there better?

Just a personal point of view, but I find these lists
useless for an end user.  You see a whole pile of
vulnerabilities fly by.  Often they are in libraries,
and you don't know whether some application you have
installed uses those libraries.  And of the remainder
a fair chunk won't apply to you.

However, lets assume you spot something that does
apply to you.  Then what?  Are you going to fix it
yourself?  Are you going to download a fixed version
of the upstream tarball and compile it and install
it yourself.  If you do either of those things you
will be breaking the Debian/Ubuntu packaging system.
In some ways this makes you more vulnerable that if
had just left the thing alone.

So I end up just waiting for my distribution to release
a fixed version of the package.  Notice this overcomes
the "vulnerability in a library" problem, because the
packaging system automatically updates all effected
programs.  This of course doesn't require you to read
any list.  It just requires you to run "aptitude update;
aptitude upgrade" regularly.

You can take it further.  You can write a little script
run nightly from cron that downloads but doesn't install
any updated packages and emails the you the change logs.
You can then install or ignore them as you see fit.  By
doing that you have created  your own personalised
mailing list that only emails vulnerabilities that effect
your system.

This url describes the tools you need to do this:
   http://www.debian.org/doc/manuals/apt-howto/
Note in particular the apt-listchanges.

There is nothing particularly novel about what I have
described here, so I expect someone has already done it.
If so I can't find it.  This package comes close, but
doesn't appear to do the downloads:

   http://www.steve.org.uk/Software/debian-updates/




More information about the General mailing list