Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Struggling With Security

Posted by Zonk on from the invaders-at-the-gates dept.

Masq666 wrote to mention a ZDNet article discussing difficulties Debian is having with security updates. From the article: "...Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems."

2 of 264 comments (clear)

  1. Too many packages? by slavemowgli · · Score: 5, Interesting

    It's just a random thought, but have the Debian people ever contemplated whether their problems in this regard may stem from the fact that they have too many packages? The package list for the latest stable lists an incredible 16834 individual packages, and even though there are many programs which come in different flavours and thus contribute as more than one package, this still is a huge number.

    I can certainly see why security management gets a problem here. Maybe the Debian project should cut down on these and see just how many packages are really needed.

    --
    quidquid latine dictum sit altum videtur.
  2. Re:Pick any two by HawkingMattress · · Score: 4, Interesting

    Yep but it doesn't apply here. Debian can be secure, convenient and cheap. It could probably be more secure and less convenient but still it is generally a very secure distro... and it's certainly cheap and convenient too
    The problem is not that you can't mix those three in debian particular setting, it's that the debian team seems to serverely lack redundancy. Read: one person has obligations somewhere else and the whole stable security updates process hangs !
    I really hope that Debian is going to make something about it fast, and in a definitive way. I don't want to run something else than debian, really. But this is really embarassing, especially if you have production servers running sarge. And this situation ain't new, Slashdot was very slow to catch it but i read about it last week. Things haven't moved a lot since (well 1 security update was released, but some major exploits have been found in iirc at least two other packages, and nothing coming yet... Other distros had everything fixed by the end of last month)

    I think Debian should clarify the issue, and call for help if it's necessary. And maybe simplify the whole debian democratic process if as it seems from the outside every decision has to go through days and days of pointless discussion.