Slashdot Mirror
Debian Struggling With Security
Masq666 wrote to mention a ZDNet article discussing difficulties Debian is having with security updates. From the article: "...Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems."
They have a huge team focusing on security.
Secure, Convenient, Cheap.
Pick any two.
(General rule, but it does generally follow)
I have no problem with your religion until you decide it's reason to deprive others of the truth.
$ apt-get update security-officer
Problem Solved.
(Its funny. Laugh.)
Now that this has been published on /. it will have to be revised to "no effective tracking of security problems by the good guys".
I'm an American. I love this country and the freedoms that we used to have.
Disturbing to see how the distro that was always renowned for its reliability is now having such troubles.
I wish the debian team all the luck in the world in fixing this matter. They're in a difficult position now that they're both lagging behind (though much less so than a while back) and cannot claim unparalleled reliability.
The tone of the story would be laden with arrogance and derision towards the "Borg", painfully unfunny and unoriginal jokes would follow, and everyone would point to Apple and Linux as the greatest and secure OSes on the planet.
But since it's not Microsoft, it's a fairly sober writeup, and Microsoft jokes would just follow a little bit later.
Funny how things work here at slashdot. no i'm not new here. I'd just figure some people would grow up sooner or later.
It isn't any suprise that the boring and the mundane tasks fall short in manpower.
This is why there needs to be more commercial involvement in FOSS, so that people who just want a day job and a paycheck can do these sorts of things.
Switch to Solaris 10. Even in the very unlikley event you hose your system, just reboot from your last "live upgrade" partition and your back into production.
It's just a random thought, but have the Debian people ever contemplated whether their problems in this regard may stem from the fact that they have too many packages? The package list for the latest stable lists an incredible 16834 individual packages, and even though there are many programs which come in different flavours and thus contribute as more than one package, this still is a huge number.
I can certainly see why security management gets a problem here. Maybe the Debian project should cut down on these and see just how many packages are really needed.
quidquid latine dictum sit altum videtur.
Not to start a flamewar (well maybe a little) - OSS will need to meet the challenge of managing all of the little details of a widely acceted OS. Red Hat is grapling with that problem now with some suceess. Having what you believe to be a better widget is not enough.
I originally posted this on http://bitsofnews.com/ but decided to post it on Slashdot also. It's a bit sad though that Debian is struggling with it's security updates, Debian used to be a nice distro but i've changed to Suse myself due to the lack og updates.
Bits of News Giving you the latest bits.
http://newraff.debian.org/~joeyh/stable-security.h tml is an incomplete list of issues currently affecting stable. It's not 100% correct; in addition to the provisos at the top of the page, it doesn't seem to know about recent updates such as this morning's Gaim update.
Actually, being American on Sahara (and whole muslim-dominated north Africa) makes you pretty prone to physical attacks :).
Ah yes, it sounds like Debian has followed Gentoo and BSD down the bath to oblivion.
Woah! Wait a moment before you start flaming me on the basis of my subject line...
The problem of providing security support is ill-suited to being solved by the traditional "mob of volunteers" approach which describes most open source development. When you're doing development, it doesn't matter if you have five people coding one week and nobody doing any coding the next week; but when it comes to dealing with a constant stream of security issues which are being reported (in particular, from upstream vendors), it is important to guarantee that there will be someone around to deal with them. When the entire security team consists of people who have other full-time jobs, it's impossible to make sure that someone will be around when they are needed.
The job of "security officer" is really one which should be a job, not a role-played-by-a-volunteer. Go out and raise some money to pay for your security officer, so that he is able to always be available when he is needed, because if he needs to get some other job to support himself, he won't be around when you need him.
Tarsnap: Online backups for the truly paranoid
For example, Debian currently lets me choose between "openssh-client" version 4.1p1-4, or "ssh-krb5" version 3.8.1p1-8; I have to pick between a recent version or Kerberos support.
I still like Debian and its derivatives, but I decided that it imposed constraints that I was not personally willing to work under.
Don't even get me started on the unavailability of X.org and KDE 3.4. Although there's nothing about source-based system that makes them inherently more up-to-date, it seems like the big names (FreeBSD and Gentoo) seem to do a better job of it than the binary distros have been able to manage. Perhaps there's something to be said for supporting a relatively small number of hardware platforms. Gentoo even supports platform-specific versioning, so x86 users can play with the latest and greatest apps, even if they don't build on m68k.
To each his own, of course. Those are the reasons I made my decision, but I'm sure they're far from universal.
Dewey, what part of this looks like authorities should be involved?
All of the BSDs currently have excellent package-management systems that can elegantly handle both binary and source packages. pkgsrc in particular is a really nice system---further, it has the advantage of not being tied to one OS. Although it is developed primarily for NetBSD, it can be used from any of the other BSDs, Linux, several Unices, and even Windows (with Internix, i.e. Windows Services for Unix).
In fact, it's definitely worth checking NetBSD out; the 2.x line has been really interesting, and development is continuing to move forward at a rapid pace. If you're on a single-processor system, it's arguably one of the best-performing OSes available at the moment, and it in general will work. Add that to the fact that you could probably port it to your toaster if you were dedicated enough, and it's worth giving serious consideration to as an alternative to Debian, or indeed anything else.
I don't know about recent issues, but for last year or even two years of Woody being stable version, there were many security problems in Woody which were resolved very slowly or not at all, while the unstable was usually fixed in reasonable time.
Of course, unstable is what it says. You get new features, different behavior and even broken software all the time. Not very good thing in production enviroment. And right now there's some major changes going on in the unstable (C++ ABI and Xorg transition) and I would be extremely cautios using it. But if the release of Etch takes as long as Sarge, the unstable will be the way to go again in 2007 at the latest.
I thought that this sub-thread was so stupid that it was not worthy of a response but this list of incredible flaws in Linux that are supposedly fixed in OS X or Windows is so ridiculous, I just had to respond.
7. (you probably meant 8 right?) See above statements. OS X is mostly FreeBSD which means they do not own the code. The GUI, they own, but so what. The kernel is still UNIX!
1. More secure? Not true. All Operating Systems have problems, closed sources Operating Systems have more problems than others becuase there are fewer people viewing and fixing the bugs and other problems. An Operating System's security depends greatly on the configuration and administration not that is is created or modified by a certain company.
2. Not true either. Speed depends on configuration and administration. Mac's are tuned for certain things where Linux can be tuned in any cofiguration you so desire.
3. More advanced or aged only because it is running a version of FreeBSD which is so close to linux how can you call it anything but *NIX?
4. Built for idiots that rather the computer maintain control. I, on the otherhand, like to control my computer.
5. Linux is backed by many successful companies such as IBM, Novell, Redhat, etc., etc as well as a world of seasoned programmers.
6. See above. Open source programming does not mean amateurs. Most of the open source programmers are seasoned vets that work full time for large companies.
7. Most of OS X is open source because it is Free BSD. Note the "Free" part of that. (see http://www.freebsd.org/copyright/copyright.html)
If the list goes on I would like to see it because this preliminary list is bogus.
Caleb Walker
Bullshit. All the technically sweet linux distributions out there which use apt are more or less resting on debian's shoulders. If you watch the security changelogs - or the regular changelogs - of ubuntu packages, you'll see that nine out of ten get made by debian, adapted to ubuntu and thrown to the ubuntu servers. Some are just renamed to "-ubuntu" and passed on. And a very few are actually maintained by ubuntu themselves.
We can't move on. Much of the linux community depends on a well-functioning debian organization. They are lacking man-power to keep their security updates as fast as the multi-employee-distributions. That doesn't mean they're technically behind, and that we have something better to move to. Although the commercial distros would love that.
Roses are #FF0000, violets are #0000FF, all my base are belong to you
asshat as well.
if linux users got what they paid for, they'd get nothing, you.. you..you bill hates follower.
I'd rather pay nothing, take that money and either put it towards a hardware router for security (just plug it in).. or save that money for something else fun..and set up a linux software firewall/router (easy, just point&click).
If people didn't have windoz forced on them when they buy in major oulets, they would get used to linux quicker.
at least with linux, when you put the effort into fixing it the way you want (note: linux at least has that option!), then we have a functional & hardened box.
I hope I didn't use tooo many big words there, mr coward :)
I will gladly loose all of life's battles.. in order to win the war..
To say nothing of the fact that Ubuntu raided many key developers from Debian, which is now left scraping for help. Ubuntu is slightly repackaging the work of the real packagers, the Debian people, and calling it a new distro. It's basically a hostile fork, and we are the worse for it.
The article didn't go quite as in depth as I would have liked. Specifically, the Debian apt repositories have literally, and you may quote me, zillions* of packages. I'm fairly certain they have quite a few more than, say, Red Hat has binary packages in their repositories.
Therefore, it would follow that if 4% of Debian packages had security vulnerabilities that would equate to a substantially greater number of packages than would the same 4% of Red Hat packages.
The other important thing to keep in mind is that it's unlikely many users would install all zillion packages at one time.
Finally, the article implies Debian and Red Hat are in competition. However, as literate geeks will know, Debian is the OS of "Software in the Public Interest" http://www.spi-inc.org/about which is a non-profit entity. Therefore, while one could argue that Red Hat (a for-profit enterprise) and Debian are in competition for userbase, by no means are they in direct competition for 'business'.
*Debian website says "over 15490." Which begs the question, how many more than 15490? 15491?
i notice noone responded to your question *yet* so i'll give me
nothing *compares*, but you have to compare apples with apples.
and since debian is well, only debian, i can only add that Synaptic (graphical front end) for apt-get is alot easier to use when you want to install or change alot of programs.
I also notice quite a few of the *other* distros are implementing apt-get/synaptic with their releases, in addition to whatever else they would normaly have as default (ie urpmi, Kpackage, etc). :)
I will gladly loose all of life's battles.. in order to win the war..
OS X is mostly FreeBSD which means they do not own the code. The GUI, they own, but so what. The kernel is still UNIX!
No, not really. The kernel is Apple's own creation (Xnu, I think they call it, but I'm not positive on that). As I recall, it's a Mach-derived kernel. The user-space is all FreeBSD-based, but the core microkernel is not.
And Apple owns more than just the GUI. They own the APIs, too. You know, CoreFoundation, Cocoa, Carbon, all those fancy things that allow Mac developers to quickly and easily make all those wonderful programs.
Mac OS X is far, far more than simply FreeBSD with a proprietary window server...
Parent post is a flamebait and I wonder what moderators are smoking today.
s g00142.html
Debian is much more than a distribution. And there is unfortunately nothing better than Debian (as in the distro) to move on to. There is a reason why many distributions are build on Debian.
Please point me to a distro that can manage version upgrades even half as gracefully as Debian.
There was a discussion about Ubuntu on Slashdot and it was argued that if Ubuntu continues to be diverge further from sid and stay incompatible it will eventually dissolve, because the team will never be able to support the huge package base.
I am a desktop Linux user that started out with Debian 2.1 Slink and I also have the feeling that Debian has had some major issues lately.
About the security issue:
Heise security published it first 10 days ago:
http://www.heise.de/newsticker/meldung/61076
As a result of this a discussion on the Debian security mailing list ensued:
http://lists.debian.org/debian-security/2005/06/m
Heise Online then reported on that as a result of that discussion:
http://www.heise.de/newsticker/meldung/61125
For those that can't read German the article says that of the five members that should make up the security team four are not active at the moment if they ever were. The only remain one is Martin Schulze aka Joey. He has been pretty busy with the organisation of the Linuxtag. So he was cut off from the action. Debian people are working on the problem.
Everyone that is not satiesfied with the current state of affairs should get their hand dirty helping instead of complaining. After all Debian forms the bases of "plenty of well-managed, technically sweet linux distributions out there".
Like Knoppis, Ubuntu or Xandros. Full list here:
http://www.debian.org/misc/children-distros
"When the entire security team consists of people who have other full-time jobs, it's impossible to make sure that someone will be around when they are needed."
.002 for widget X that isn't widely used and gets abandoned for lack of interest and now has a security issue, how is that different than in the commercial world? At least with OSS someone/anyone can fix the problem. With commercial software you literally have to stop using the software because no fix will ever come.
Your wrongly basing your entire arguement on the idea that OSS programmer(s)=loner(s) with other "real" jobs. That is simply not the case for many OSS projects. Commercial OSS companies like Red Hat, Suse/Novell, et al are and have been the driving force in OSS for some time now. Look at any big distro, any major software project etc and at this point chances are they are being bankrolled and supported by commercial copanies that are paying people to work on them and deal with things like security issues. And if a popular project has a security flaw that an author won't address, and distros won't fix because its not part of their distro...well you know the deal, use the source luke.
I see what your trying to say but again your arguement is flawed as "traditional" OSS development no longer means unpaid and non-commercial. I don't think that the people buying Red Hat linux and getting security support for years and years would share the same viewpoint. And I also don't think that commercial companies put more into security than OSS programmers do. History just doesn't show that.
For version
OSS is particulary well suited to dealing with security issues IMHO and the problems it has with security are more or less the same problems that commercial software makers face. Your floating down a well known river in Egypt if you think that in the commercial world all projects have people who are paid to soley to work on security.
If you wanna get rich, you know that payback is a bitch
The lead post is titled "Debian Struggling With Security," in part because the Debian team is short-handed.
There are 200 or so Linux distros. But Open Source doesn't magically endow you with the organization, money and manpower needed to maintain any one of them.
4. Built for idiots that rather the computer maintain control. I, on the otherhand, like to control my computer.
George Eastman had a slogan: "You click the button, we do the rest." Once a technology becomes accessible to the masses, the hobbyist and his obsessions are driven to the margins. Calling your opponents idiots doesn't change a damn thing.
Yes, there are times when Unstable gets fixed faster than Stable. The way the whole Stable/Testing/Unstable thing works is that a package maintainer submits a package to Debian. It is placed in unstable. If it survives two weeks there, it is moved to testing. Eventually, there is a freeze and all of testing becomes stable. Now, if a bug is found in a testing package, a new package is submitted to Debian to replace it. So it ends up in Unstable for two weeks. Packages can be fast tracked from Unstable to Testing if the issue is severe.
Regarding whether Unstable got a fix at the same time as Gentoo, that depends on whether or not the package maintainer is following the source as closely as Gentoo. In theory, there should be no difference.
After all, I am strangely colored.
This has been fun. I have frequented the forums for a while now and have never really posted anything other than brief comments here and there but this one I thought I would go at it full board. Thanks for replies and you are all right. My response has been short and to the point with many technicalities left out because it was a spur of the moment post. That's what makes this fun and able to enjoy everyone elses take on matters.
As far as OS X being FreeBSD is absurd and I should have stated that more correctly in that it is derived from FreeBSD. It is as close to FreeBSD as Linux is to UNIX as well as OS X is UNIX.
Stating that open source is just plain more secure is an obvious over-simplification. But the fact is that open source applications, especially the Linux kernel has a better chance of being more secure with more eyes on the code world-wide.
For somone to call Windows and Mac users my opponents is funny as well. I dont have opponents in the computer world. I support all of them. I have built fairly complex web server environments on both Linux and Windows. I have had to support Mac users in a graphics environment and have enjoyed it all. I like to express opinions as well as listen to them. And when I said "idiots" it meant that an entirely graphical Operating System to me and to most SysAdmins is a limitation more than a benefit. If you are a user of the operating system it is better through and through. In other words, at times, GUI OSes are "idiot proof" not that only idiots use them. In fact, I want to buy a Mac for my own personal use but I cant afford one for one.
In the end, my statements were just as short and rash as the original statement.
I am sure you have already read this but check this out as well http://www.apple.com/macosx/features/unix/
Also, take a look at this especially under the heading "BSD": http://www.kernelthread.com/mac/osx/arch_xnu.html
Thanks.
Caleb Walker
I think it's indicative of the quality of this zdnet article that it attributes a page I maintain to Martin Schulze. More details in my blog entry, here:
7 -06-11-28.html
http://kitenet.net/~joey/blog/entry/secfud-2005-0
see shy jo