[Whonix-devel] revisiting decision of using stable as a Whonix base
bancfc at openmailbox.org
bancfc at openmailbox.org
Fri May 13 03:35:38 CEST 2016
On 2016-05-10 18:09, Patrick Schleizer wrote:
>> I wanted to revisit the decision of using stable as a Whonix base. The
>> biggest (and only) advantage of using stable is to avoid unexpected
>> dependency breakages that increase maintenance burden.
>>
>> From a security POV stable is a disaster that's guaranteed to have
>> security bugs that are not patched for years at a time. Not every
>> potentially exploitable bug that is discovered and fixed in upstream
>> software versions is marked as a cve for backporting. What appears as
>> a
>> crash or DoS bug have security implications with enough effort. Linus
>> is
>> infamous for doing "silent" fixes where he marks scores of bugs as DoS
>> when they have security implications and so they never make it into
>> stable distro kernels. The situation is similar for userspace software
>> in Debian stable to that suffer from publically discovered security
>> problems but don't get upgraded because of policy.
>>
>> See:
>>
>> https://mjg59.dreamwidth.org/41085.html
>> https://cxsecurity.com/issue/WLB-2008070032
>>
>>
>> Are testing snapshots a workable compromise between security and
>> stability?
>>
>> (Its up to you to post this conversation for public record)
>>
>
> I not mind about public vs private.
>
> Debian testing:
>
> - build keeps breaking (ok, never mind and testing snapshots would do)
>
> - flood of constant upgrades (maybe also say never mind)
>
> - users will keep running into issues which creates a user support hell
> (this is serious)
>
> - it's impossible to keep up and to see how it interacts with Whonix.
> Just using testing in sources.list could quickly end in obscure stuff
> (like apparmor changes) resulting in Tor not longer starting and
> whatnot.
>
> Or do you suggest somehow slowing down testing by having Whonix decide
> which snapshot of users are going to use?
Exactly so. This would resolve the most pressing problems like the
breakage and support hell scenarios you describe while giving users a
fresher/patched base for better security.
>
> Cheers,
> Patrick
More information about the Whonix-devel
mailing list