On Thu, May 09, 2024 at 07:23:09AM -0400, David A. Desrosiers wrote:
> Let's also not lose sight of the fact that if proposed had been enabled by
> default with the current LTS release, the xz exposure and impact would have
> been a lot broader than it was, and also a lot harder to clean up and
> retract from.
I don't think that's true. With NotAutomatic, users would still have
required to explicitly install the package from proposed (with -t or
equivalent), and what would have caused them to do that?
> As it was, the customer I support mirrored -proposed into their internal
> aptly during the Feb 28-March 30 window when the exploited versions of xz
> packages were resident in noble-proposed, and some of their machines had it
> deployed as part of internal automation. They had to go through a manual
> exercise to delete the pocket from their mirror and specifically the
> xz-utils packages for a daily span of 30 days of mirroring and resilver all
> of their aptly package lists to redact that and remove their own potential
> for exposure.
This sounds like a counterexample to me - it sounds like a user
deliberately chose to opt in to the cutting edge and faced the
consequences. That's always going to be the case for those who opt-in.
If had chosen to already add proposed by default, that's wouldn't have
changed the impact for this particular user.
> Let's err on the side of being a bit more cautious here, so we don't leave
> ourselves open to another possible 'adventure' that could sneak through
> unnoticed, before our users/customers are impacted. -proposed explicitly
> disabled by default has a purpose and requires being manually enabled, and
> once we flip that position, we may lose the value that explicit testing of
> packages in -proposed provides.
From an exposure perspective, I don't see how requiring manual
enablement via sources.list is different from requiring manual opt-in
through apt with -t. In both cases the user has to take an explicit
opt-in step. Further, before we had NotAutomatic for proposed, it was
one step before (add-apt-repository -p proposed) and I'm proposing that
it be one step now that we have NotAutomatic (apt install -t
<series>-proposed). Why you think this is worse?
Robie
