[thelist] Just moved from Vista to Ubuntu -Web Dev Help???

Hassan Schroeder hassan.schroeder at gmail.com
Thu Oct 1 18:57:40 CDT 2009

On Thu, Oct 1, 2009 at 4:25 PM, Bill Moseley <moseley at hank.org> wrote:

> Just a quick search, but does this include the security issues you are
> concerned with?

Sorry, I don't have time to go through the source code -- the security
fix pages list some Tomcat updates, but definitely not all. I'll take that
as definitive enough.

> Again, maintainers often will back patch so older versions have newer
> security updates.  Just not newer features.  So, the version number is not a
> good indication.

Yes, and that seems like a hideously bad idea to me. Obviously YMMV.

> I would not assume that newer packages are more secure.

I didn't say that. I said that there are known security vulnerabilities that
are fixed in the standard Tomcat releases that are AFAICT *not* fixed
in Debian's version.

> Personally, I don't trust myself to notice that some bit of software has a
> security issue that requires a quick fix.  I had a bind9 compromise once
> because I was managing my own version.  I was even on the bind9 list.  I
> just missed it.  I would have been protected if I had used the packaged
> version as a security update that had been released months before.

That might be true for bind9, but it's not true for Tomcat. If it's not true
for one package I'm using, how do I have any confidence in the others?

Use the package manager, fine, but don't believe you're getting some
magical security insurance, because it provably ain't so.

That's all I'm sayin' ...  :-)
Hassan Schroeder ------------------------ hassan.schroeder at gmail.com
twitter: @hassan

More information about the thelist mailing list