[SOLVED] A security expert compares Debian's security to that of Windows XP with partial security updates
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The Linux kernel is a security disaster, but so are the kernels in macOS / iOS and Windows, although they are moving towards changing. For example, iOS moved a lot of the network stack to userspace, among other things.
The userspace Linux desktop software stack is far worse relative to the others. Security and privacy are such low priorities. It's really a complete joke and it's hard to even choose where to start in terms of explaining how bad it is. There's almost a complete disregard for sandboxing / privilege separation / permission models, exploit mitigations, memory safe languages (lots of cultural obsession with using memory unsafe C everywhere), etc. and there isn't even much effort put into finding and fixing the bugs. Look at something like Debian where software versions are totally frozen and only a tiny subset of security fixes receiving CVEs are backported, the deployment of even the legacy exploit mitigations from 2 decades ago is terrible and work on systems integration level security features like verified boot, full system MAC policies, etc. is near non-existent. That's what passes as secure though when it's the opposite. When people tell you that Debian is secure, it's like someone trying to claim that Windows XP with partial security updates (via their extended support) would be secure. It's just not based in any kind of reality with any actual reasoning / thought behind it.
Fair criticism, would you say?
Security issues aside, I quite like Debian. Is it true that only a fraction of CVEs actually get fixed in Debian Stable? I always assumed that they all get fixed.
Ever since he split off from the CopperheadOS team and started GrapheneOS, he has been ranting like this on reddit, full Theo-de-Raadt-style.
He probably has a point, but there's just something bordering on madness in his behaviour.
And are we not going to talk about the implications of using Alphabet-ware as the base for his OS? I guess he is blind on that eye.
The lead dev of GrapheneOS (praised by Snowden and Doresy)
I presume "Doresy" refers to Jack Dorsey, the Twitter CEO, who according to this did nothing more than post a link to GrapheneOS after Google deleted negative reviews from the Play store.
It's an interesting thread, but basically all he really said is that two years ago GrapheneOS was the least-worst choice for a smartphone.
Neither of those things are enough to establish Daniel Micay as as a security expert in my eyes - basically all they've said is "here's a de-Googled Android", neither of them are specifically praising Daniel nor GrapheneOS.
And that's not a comment on whether he's right or wrong - but without providing concrete examples to back up what he is saying then it's just ranting.
The key thing is the question you asked:
Quote:
Is it true that only a fraction of CVEs actually get fixed in Debian Stable?
If this is true, it would be easy for Daniel to point to CVEs that apply to Debian Stable and didn't get fixed. Has he actually done that?
Since Debian Security Tracker is public - we can easily have a look ourselves...
Looks like there are 108 active CVEs for Debian's kernel, and of those, 5 are fixed in Unstable (sid) but not yet fixed in Stable (bullseye), whilst a further 29 are not yet fixed in either - that's out of a total 1675 resolved CVEs.
This does not appear to support what Daniel Micay is saying about Debian.
It's an interesting thread, but basically all he really said is that two years ago GrapheneOS was the least-worst choice for a smartphone.
Slightly off-topic. There was a recent post on LWN.net about a study of data collection on Android devices. And they found out that the only Android OS variant that lives up to its promise of complete de-Googling is /e/OS. They didn't test GrapheneOS though.
neither of them are specifically praising Daniel nor GrapheneOS.
Dorsey tweeted a link to it, and Snowden wrote "If I were configuring a smartphone today, I'd use Daniel Micay's GrapheneOS as the base operating system." (according to Wikipedia)
Micay created a "hardened Android" project that tech celebs know about. I think that's something.
Quote:
And that's not a comment on whether he's right or wrong - but without providing concrete examples to back up what he is saying then it's just ranting.
Looks like there are 108 active CVEs for Debian's kernel, and of those, 5 are fixed in Unstable (sid) but not yet fixed in Stable (bullseye), whilst a further 29 are not yet fixed in either - that's out of a total 1675 resolved CVEs.
Debian 11 just got released. It's probably more informative to look at Debian 10. Also, this is just the kernel. Chrome alone gets 200 CVEs per year. Firefox - 100 per year. Do they all get backported to Chromium and Firefox-ESR?
I did once write up how to search for a particular security fix in Ubuntu. Don't feel like rewriting this all over again for Debian. Look it up yourself, say, at distro-patches. Unfortunately, the distro-patches page was last updated 2019, and Debian infrastructure has changed quite a bit since then, so most of the links there must be replaced. You can find working links starting from https://packages.debian.org and going to the package you're interested in.
For a quick look at the latest security patches I usually go to https://lwn.net/Alerts/Debian (not only for Debian, of course: they maintain lists for several major distributions).
Have you looked at the URL boughtonp provided? What prevents you from changing it to display CVEs for Chromium or Firefox-ESR?
I did look at those. Only a fraction of CVEs for Firefox and Chrome end up in Debian's tracking system. It's hard to tell if in each of those cases, there was a decision to not include a CVE, what that decision was based on, and whether it was justified (without being a developer familiar with these packages)
Debian 11 just got released. It's probably more informative to look at Debian 10. Also, this is just the kernel. Chrome alone gets 200 CVEs per year. Firefox - 100 per year. Do they all get backported to Chromium and Firefox-ESR?
Judging the security of an OS by software that is not installed by default does not seem reasonable, (especially when it's Google's incompetence resulting in so many vulnerabilities).
Firefox, which is installed by default, has zero unresolved CVEs in Debian's currently supported stable versions.
Quote:
Originally Posted by max.b
Only a fraction of CVEs for Firefox and Chrome end up in Debian's tracking system. It's hard to tell if in each of those cases, there was a decision to not include a CVE, what that decision was based on, and whether it was justified (without being a developer familiar with these packages)
Judging the security of an OS by software that is not installed by default does not seem reasonable, (especially when it's Google's incompetence resulting in so many vulnerabilities).
You must not be a programmer, if you think bugs are caused by incompetence alone.
Edit: Micay himself has argued that Chrome has a lot of CVEs because they are better than others at finding problems.
Quote:
Firefox, which is installed by default, has zero unresolved CVEs in Debian's currently supported stable versions.
Debian Stable is lot bigger than what's installed by default.
Quote:
What are you basing this claim on?
Just count the Firefox/Chrome CVEs for the same time period on MITRE and Debian's security tracker.
OP, you seem to be using "Chrome" and "Chromium" as though they're interchangeable - they aren't.
They're both browsers, but one is open-source and one is not.
The closed-source browser is based on the open-source browser, with who knows how different configuration, and also "stuff" added on top.
Chromium is both the source project Chrome is built from, and a FOSS browser (but by no means Google-free), Chrome is the closed-source browser promoted by Google/Alphabet.
Can you provide an actual example of a CVE that is specifically listed as affecting Debian's Firefox but is being ignored by Debian Security?
Quote:
Edit: Micay himself has argued that Chrome has a lot of CVEs because they are better than others at finding problems.
Sounds like a Google fanboy. Would you like to provide a source for that statement?
Likewise, for the claim to have any validity, it needs to be backed up by proof that Google is the one finding the vulnerabilities - do such statistics exist anywhere?
If Google is so good at finding vulnerabilities, why do they wait until after they perform a release to do it...?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.