[H-GEN] security update mailing lists?

[Greg Black]

On 2006-07-13, Russell Stuart wrote:

> Just a personal point of view, but I find these lists
> useless for an end user.  You see a whole pile of
> vulnerabilities fly by.  Often they are in libraries,
> and you don't know whether some application you have
> installed uses those libraries.  And of the remainder
> a fair chunk won't apply to you.

This is indeed a major problem with these things.

> So I end up just waiting for my distribution to release
> a fixed version of the package.  Notice this overcomes
> the "vulnerability in a library" problem, because the
> packaging system automatically updates all effected
> programs.  This of course doesn't require you to read
> any list.  It just requires you to run "aptitude update;
> aptitude upgrade" regularly.
> 
> You can take it further.  You can write a little script
> run nightly from cron that downloads but doesn't install
> any updated packages and emails the you the change logs.
> You can then install or ignore them as you see fit.  By
> doing that you have created  your own personalised
> mailing list that only emails vulnerabilities that effect
> your system.

There's just one thing that makes me worry about this kind of
advice and, since today is in fact a day when a Debian server
was compromised, this seems like a good time to mention it:  you
need to know that the place you get your updates from has only
got "good" updates, not compromised software.  There's really no
way for normal users to be able to be confident about that.

What's the solution?  Probably the only guaranteed solution is
to ensure you only use perfectly secure computers.  These are
created by removing the power permanently.

Cheers, Greg