On Sat, Jan 22, 2022 at 07:01:24PM +0000, Tim Woodall wrote: > On Sat, 22 Jan 2022, max wrote: > > > > > WHY IS DEBIAN NOT TELLING THE TRUTH ABOUT ITS SECURITY FIXES? > > > snip rant. > > I could have the opposite rant. WHY IS DEBIAN NOT TELLING THE TRUTH > ABOUT ITS STABLE DISTRIBUTION. > > Because I have a machine (actually more than one) sat running buster > that has SSH listening but can only be reached via limited routes. > > And the installed browser is able to connect only to the local network > too. On that local network there is a proxy - but that proxy does not > let this machine connect anywhere. > > This machine runs xvnc (or something like that, off the top of my head I > forget exactly which vnc service it is running) and in order to actually > connect to the vnc server you have to use ssh forwarding via public key > authentication. > > That machine has exactly one use, and that is to enable me to connect to > the IPMI console on two servers. The ipmi itself is presumed not safe to > expose and so is also firewalled from everything else. > > For obvious reasons these machines are required rarely, but when > everything else is breaking it is critical that they work. (This is my > home network so techically pysically plugging in a screen and keyboard > is only a 10 minute job rather than a remote hands request) > > I want to keep ssh up to date, that's the one thing that does need to be > remotely accessible. but I'm laid back about everything else. And yet, > java updates, firefox updates *regularly* break things because the (no > updates available) IPMI firmware is using "insecure" security settings. > > > I would rather debian stable continued to carry a version of the various > major browsers than they dropped it completely. But dropping it is the > most likely thing to happen if the people who complain the loudest don't > step up and do the work to keep it completely up to date. > > I'm pretty sure that if someone steps up to do all the work to package > each esr release of chromium/firefox then debian will be likely to take > them (expecially if they're fixing known security issues) even if > they're going to break the normal debian stable compatibility rules. But > this is a lot of work. All this ranting is going to achieve is moving > firefox debs to a third party repo, making it more difficult for those > of us who have a use case for a "good enough" browser and have other > ways to avoid security issues in the browser. >
I might suggest netsurf as a very lightweight browser that is very well maintained by a dedicated bunch of folk - it's also cross platform though I've no idea whether it will work with your IPMI. Debian perforce has to adopt the upstream decisions of the originators of Firefox/Chromium - but the requirement of having to build on each release is not negotiable, I think, or the oldstable releases end up as a mess of incompatible libraries. Buster, of course, is not the current stable but is still supported by the main Debian security team to 2022-08-14 and the LTS team until 2024. With every good wish, as ever, Andy Cater > > FTAOD, I think the debian volunteers are doing a great job and while I > might wish that their efforts were focused on exactly MY needs, I'll > take whatever they're willing to give with a thank you (and an > occasional, unwarranted, moan). >
