Slashdot Mirror
Debian Struggling With Security
Masq666 wrote to mention a ZDNet article discussing difficulties Debian is having with security updates. From the article: "...Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems."
Switch to Solaris 10. Even in the very unlikley event you hose your system, just reboot from your last "live upgrade" partition and your back into production.
It's just a random thought, but have the Debian people ever contemplated whether their problems in this regard may stem from the fact that they have too many packages? The package list for the latest stable lists an incredible 16834 individual packages, and even though there are many programs which come in different flavours and thus contribute as more than one package, this still is a huge number.
I can certainly see why security management gets a problem here. Maybe the Debian project should cut down on these and see just how many packages are really needed.
quidquid latine dictum sit altum videtur.
I originally posted this on http://bitsofnews.com/ but decided to post it on Slashdot also. It's a bit sad though that Debian is struggling with it's security updates, Debian used to be a nice distro but i've changed to Suse myself due to the lack og updates.
Bits of News Giving you the latest bits.
This is slashdot, news for nerds who have a psychological need to identify with the underdog in every situation.
Seriously, I think it's the result of being the outcast for most of one's childhood. By believing that the outsiders Linux/Apple are the best, they elevate themselves by proxy.
Yep but it doesn't apply here. Debian can be secure, convenient and cheap. It could probably be more secure and less convenient but still it is generally a very secure distro... and it's certainly cheap and convenient too
The problem is not that you can't mix those three in debian particular setting, it's that the debian team seems to serverely lack redundancy. Read: one person has obligations somewhere else and the whole stable security updates process hangs !
I really hope that Debian is going to make something about it fast, and in a definitive way. I don't want to run something else than debian, really. But this is really embarassing, especially if you have production servers running sarge. And this situation ain't new, Slashdot was very slow to catch it but i read about it last week. Things haven't moved a lot since (well 1 security update was released, but some major exploits have been found in iirc at least two other packages, and nothing coming yet... Other distros had everything fixed by the end of last month)
I think Debian should clarify the issue, and call for help if it's necessary. And maybe simplify the whole debian democratic process if as it seems from the outside every decision has to go through days and days of pointless discussion.
Slackware is secure.
...
Slackware is convenient (I Know that many will say otherwise, but if you have Unix experience, it's the best solution, really easy to manage)-
It's cheap, it doesn't contain any proprietary software.
Also, Debian can be as safe as Slackware, the problem with this kind of Distro (Debian) is that the people using it pretends that someone else takes care of their security. A Sysadmin doesn't need some stupid organization to submit patches to him automatically or anything like that. He just has to download and compile all of the critical services of his system, and update them when necesary. Anyone that says otherwise is an Amateur, not a Sysadmin, and if he's an amateur, he shoudln't be running any system bigger than he can manage, and he shoudln't run any critical services, and for the kind of things that an amateur should host the kind of security provided by allmost any Unix system is more than enough. The problem with all this shit is that there are lots of amateurs out there calling themselves sysadmins
WTF am I doing replying to an AC at 5 A.M on a Friday night?
To say nothing of the fact that Ubuntu raided many key developers from Debian, which is now left scraping for help. Ubuntu is slightly repackaging the work of the real packagers, the Debian people, and calling it a new distro. It's basically a hostile fork, and we are the worse for it.
i notice noone responded to your question *yet* so i'll give me
nothing *compares*, but you have to compare apples with apples.
and since debian is well, only debian, i can only add that Synaptic (graphical front end) for apt-get is alot easier to use when you want to install or change alot of programs.
I also notice quite a few of the *other* distros are implementing apt-get/synaptic with their releases, in addition to whatever else they would normaly have as default (ie urpmi, Kpackage, etc). :)
I will gladly loose all of life's battles.. in order to win the war..
what a load of trash.
debian is not in a decline, they just need to slow the package release cycle, the greater number of times packages are released during a month increases the amount of checking required.
The whole point of stable/testing/unstable is so that the packages filter to stable slowly.
quit your whining.
Why UNIX?