Slashdot Mirror
Debian Struggling With Security
Masq666 wrote to mention a ZDNet article discussing difficulties Debian is having with security updates. From the article: "...Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems."
Secure, Convenient, Cheap.
Pick any two.
(General rule, but it does generally follow)
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Disturbing to see how the distro that was always renowned for its reliability is now having such troubles.
I wish the debian team all the luck in the world in fixing this matter. They're in a difficult position now that they're both lagging behind (though much less so than a while back) and cannot claim unparalleled reliability.
The tone of the story would be laden with arrogance and derision towards the "Borg", painfully unfunny and unoriginal jokes would follow, and everyone would point to Apple and Linux as the greatest and secure OSes on the planet.
But since it's not Microsoft, it's a fairly sober writeup, and Microsoft jokes would just follow a little bit later.
Funny how things work here at slashdot. no i'm not new here. I'd just figure some people would grow up sooner or later.
It isn't any suprise that the boring and the mundane tasks fall short in manpower.
This is why there needs to be more commercial involvement in FOSS, so that people who just want a day job and a paycheck can do these sorts of things.
Woah! Wait a moment before you start flaming me on the basis of my subject line...
The problem of providing security support is ill-suited to being solved by the traditional "mob of volunteers" approach which describes most open source development. When you're doing development, it doesn't matter if you have five people coding one week and nobody doing any coding the next week; but when it comes to dealing with a constant stream of security issues which are being reported (in particular, from upstream vendors), it is important to guarantee that there will be someone around to deal with them. When the entire security team consists of people who have other full-time jobs, it's impossible to make sure that someone will be around when they are needed.
The job of "security officer" is really one which should be a job, not a role-played-by-a-volunteer. Go out and raise some money to pay for your security officer, so that he is able to always be available when he is needed, because if he needs to get some other job to support himself, he won't be around when you need him.
Tarsnap: Online backups for the truly paranoid
Consider a situation where a server has been set up and is running well in a company. That server has been working for several years, and while it may not have whiz-bang features, it keeps working every day just as well as it did the day before -- nothing ever breaks.
Now, if a security issue is discovered in a package running on that machine, they do not want to upgrade to the latest release because they would worry about what it changes -- they want that one issue fixed and everything else to continue the same as before. Debian Stable is designed for people like this, the joke at the end of your post was actually close to the truth -- people really do want debian stable to be stable feature wise.
Consider another situation, where somebody wants a fairly reliable and a fairly up-to-date server. When a bug is discovered, and especially security-related bugs, they'd like an updated package. On the other hand, they don't want to be sent the latest buggy software, they'd like it restricted to software that appears pretty stable. Debian Testing is designed for people like this.
It sounds from your post that you cannot imagine people preferring a quirky, somewhat old, consistant distro over one kept up to date with bug fixes. I assure you that there is a large market for the stable distro, but if you are not in that market, there are plenty of others available.
Bullshit. All the technically sweet linux distributions out there which use apt are more or less resting on debian's shoulders. If you watch the security changelogs - or the regular changelogs - of ubuntu packages, you'll see that nine out of ten get made by debian, adapted to ubuntu and thrown to the ubuntu servers. Some are just renamed to "-ubuntu" and passed on. And a very few are actually maintained by ubuntu themselves.
We can't move on. Much of the linux community depends on a well-functioning debian organization. They are lacking man-power to keep their security updates as fast as the multi-employee-distributions. That doesn't mean they're technically behind, and that we have something better to move to. Although the commercial distros would love that.
Roses are #FF0000, violets are #0000FF, all my base are belong to you
The article didn't go quite as in depth as I would have liked. Specifically, the Debian apt repositories have literally, and you may quote me, zillions* of packages. I'm fairly certain they have quite a few more than, say, Red Hat has binary packages in their repositories.
Therefore, it would follow that if 4% of Debian packages had security vulnerabilities that would equate to a substantially greater number of packages than would the same 4% of Red Hat packages.
The other important thing to keep in mind is that it's unlikely many users would install all zillion packages at one time.
Finally, the article implies Debian and Red Hat are in competition. However, as literate geeks will know, Debian is the OS of "Software in the Public Interest" http://www.spi-inc.org/about which is a non-profit entity. Therefore, while one could argue that Red Hat (a for-profit enterprise) and Debian are in competition for userbase, by no means are they in direct competition for 'business'.
*Debian website says "over 15490." Which begs the question, how many more than 15490? 15491?
Parent post is a flamebait and I wonder what moderators are smoking today.
s g00142.html
Debian is much more than a distribution. And there is unfortunately nothing better than Debian (as in the distro) to move on to. There is a reason why many distributions are build on Debian.
Please point me to a distro that can manage version upgrades even half as gracefully as Debian.
There was a discussion about Ubuntu on Slashdot and it was argued that if Ubuntu continues to be diverge further from sid and stay incompatible it will eventually dissolve, because the team will never be able to support the huge package base.
I am a desktop Linux user that started out with Debian 2.1 Slink and I also have the feeling that Debian has had some major issues lately.
About the security issue:
Heise security published it first 10 days ago:
http://www.heise.de/newsticker/meldung/61076
As a result of this a discussion on the Debian security mailing list ensued:
http://lists.debian.org/debian-security/2005/06/m
Heise Online then reported on that as a result of that discussion:
http://www.heise.de/newsticker/meldung/61125
For those that can't read German the article says that of the five members that should make up the security team four are not active at the moment if they ever were. The only remain one is Martin Schulze aka Joey. He has been pretty busy with the organisation of the Linuxtag. So he was cut off from the action. Debian people are working on the problem.
Everyone that is not satiesfied with the current state of affairs should get their hand dirty helping instead of complaining. After all Debian forms the bases of "plenty of well-managed, technically sweet linux distributions out there".
Like Knoppis, Ubuntu or Xandros. Full list here:
http://www.debian.org/misc/children-distros
"When the entire security team consists of people who have other full-time jobs, it's impossible to make sure that someone will be around when they are needed."
.002 for widget X that isn't widely used and gets abandoned for lack of interest and now has a security issue, how is that different than in the commercial world? At least with OSS someone/anyone can fix the problem. With commercial software you literally have to stop using the software because no fix will ever come.
Your wrongly basing your entire arguement on the idea that OSS programmer(s)=loner(s) with other "real" jobs. That is simply not the case for many OSS projects. Commercial OSS companies like Red Hat, Suse/Novell, et al are and have been the driving force in OSS for some time now. Look at any big distro, any major software project etc and at this point chances are they are being bankrolled and supported by commercial copanies that are paying people to work on them and deal with things like security issues. And if a popular project has a security flaw that an author won't address, and distros won't fix because its not part of their distro...well you know the deal, use the source luke.
I see what your trying to say but again your arguement is flawed as "traditional" OSS development no longer means unpaid and non-commercial. I don't think that the people buying Red Hat linux and getting security support for years and years would share the same viewpoint. And I also don't think that commercial companies put more into security than OSS programmers do. History just doesn't show that.
For version
OSS is particulary well suited to dealing with security issues IMHO and the problems it has with security are more or less the same problems that commercial software makers face. Your floating down a well known river in Egypt if you think that in the commercial world all projects have people who are paid to soley to work on security.
If you wanna get rich, you know that payback is a bitch