Slashdot Mirror

← Back to Stories (view on slashdot.org)

Debian Struggling With Security

Posted by Zonk on from the invaders-at-the-gates dept.

Masq666 wrote to mention a ZDNet article discussing difficulties Debian is having with security updates. From the article: "...Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems."

26 of 264 comments (clear)

  1. Solution is obvious, move to Windows by VisualVoice · · Score: 5, Funny

    They have a huge team focusing on security.

    1. Re:Solution is obvious, move to Windows by sharkey · · Score: 5, Funny
      They have a huge team focusing on security.

      Too bad none of them work at Microsoft :(

      --

      --
      "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  2. Pick any two by mcrbids · · Score: 5, Insightful

    Secure, Convenient, Cheap.

    Pick any two.

    (General rule, but it does generally follow)

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:Pick any two by diamondsw · · Score: 4, Funny

      Or pick Windows and get none!

      --
      I don't know what kind of crack I was on, but I suspect it was decaf.
    2. Re:Pick any two by HawkingMattress · · Score: 4, Interesting

      Yep but it doesn't apply here. Debian can be secure, convenient and cheap. It could probably be more secure and less convenient but still it is generally a very secure distro... and it's certainly cheap and convenient too
      The problem is not that you can't mix those three in debian particular setting, it's that the debian team seems to serverely lack redundancy. Read: one person has obligations somewhere else and the whole stable security updates process hangs !
      I really hope that Debian is going to make something about it fast, and in a definitive way. I don't want to run something else than debian, really. But this is really embarassing, especially if you have production servers running sarge. And this situation ain't new, Slashdot was very slow to catch it but i read about it last week. Things haven't moved a lot since (well 1 security update was released, but some major exploits have been found in iirc at least two other packages, and nothing coming yet... Other distros had everything fixed by the end of last month)

      I think Debian should clarify the issue, and call for help if it's necessary. And maybe simplify the whole debian democratic process if as it seems from the outside every decision has to go through days and days of pointless discussion.

  3. simple solution by Geekboy(Wizard) · · Score: 5, Funny

    $ apt-get update security-officer

    Problem Solved.

    (Its funny. Laugh.)

  4. How the mighty have fallen... by Gorath99 · · Score: 3, Insightful

    Disturbing to see how the distro that was always renowned for its reliability is now having such troubles.

    I wish the debian team all the luck in the world in fixing this matter. They're in a difficult position now that they're both lagging behind (though much less so than a while back) and cannot claim unparalleled reliability.

    1. Re:How the mighty have fallen... by Ingolfke · · Score: 3, Insightful

      I wish the debian team all the luck

      I think this is probably part of the problem... too many people are wishing them luck and not enough people are actually doing anything to address the problem.

    2. Re:How the mighty have fallen... by tacocat · · Score: 5, Insightful

      It would be a hell of a lot easier if they only supported X86 architecture like all those other Distros you refer to as the ones to lag behind.

      I think what they really suffer from, and I am not expert, is politics of a large system and the perception of lots of power sitting on top. I could be wrong.

      Regardless of what anyone might want to say against Debian, I still believe that they are extremely good at what they do and don't get credit for it. There is no other distro out there that attempts to support as many architectures as effectively (or at all) and if Debian decided to just delete them all except X86/X86-64 then their job would be a hell of a lot easier to execute.

    3. Re:How the mighty have fallen... by dmaxwell · · Score: 4, Insightful

      Supporting arches that span the gamet of bitness and endianness shakes out bugs and bad assumptions that can be hard to find otherwise. These fixes get pushed upstream whenever possible. So Debian is raising the water for a heck of a lot of boats. Until the great license blowup, Debian's X-Strike Force was also a major reason why XFree86 ran on so many platforms. The bit and endian issues THERE are a bitch.

      It might be better in some respects if Debian were x86 only like everybody else but we would all be poorer for it.

  5. Now If This Was Microsoft... by Anonymous Coward · · Score: 3, Insightful

    The tone of the story would be laden with arrogance and derision towards the "Borg", painfully unfunny and unoriginal jokes would follow, and everyone would point to Apple and Linux as the greatest and secure OSes on the planet.

    But since it's not Microsoft, it's a fairly sober writeup, and Microsoft jokes would just follow a little bit later.

    Funny how things work here at slashdot. no i'm not new here. I'd just figure some people would grow up sooner or later.

    1. Re:Now If This Was Microsoft... by Brandybuck · · Score: 3, Insightful

      I'd just figure some people would grow up sooner or later.

      Oh we do indeed grow up. Unfortunately Slashdot has an unending supply of new posters straight out of kindergarten who have no problems at all firmly believing in the rightness of double standards and the logic of conflicting axioms.

      --
      Don't blame me, I didn't vote for either of them!
    2. Re:Now If This Was Microsoft... by Ernesto+Alvarez · · Score: 5, Insightful

      You've got to admit there is a fundamental difference that would also cause that change of attitudes.

      Debian security guys tend to have an attitude of trying to do things right. You're talking about the same people that chose to stop everything when they were compromised last year (and that was two days before a woody revision release). It's no surprise that people think of them as a good team without the necesary resources that need help. After all, they appear to do what they can with whatever resources they've got.

      Microsoft, however, is known for turning a blind eye to big problems, trusting no one will find out and trying to NDA the hell out of everyone. Considering people pay big $$$ to them, and they do play dumb more often than they should, guess what the attitude toward them would be.

      MS has been doing things a little better lately, but years of treating security like they did in the '90s aren't forgotten that easily.

      I like Debian, and really hope they can solve their staff shortage. I wouldn't like them to go under because of this.

      --
      GPG 0x1B479C78
  6. Boring jobs by ignorant_coward · · Score: 3, Insightful


    It isn't any suprise that the boring and the mundane tasks fall short in manpower.

    This is why there needs to be more commercial involvement in FOSS, so that people who just want a day job and a paycheck can do these sorts of things.

    1. Re:Boring jobs by SirSlud · · Score: 3, Insightful

      I understand what you're trying to say with your sig, but when you're as smug as you seem to be, you lose the priviledge of calling somebody else on their biases.

      That out of the way, capitalism is about capitalizing labour; that is, putting people together that create more value than if they worked seperately. That is the fundamental reason why we CAN sell things; we're able to capitalize labour and create things for less cost than would be born upon people if everybody created said thing individually.

      Statements like your are grossly off the mark. BSD licenses, any other open source licenses that allow you to use the source but not have to open up your own, have helped many a person make money. What folks like you fail to realize is that you use the term open source as if its a catch all for anybody creating software for free. In fact, irony of ironies, the patent system was designed to FORCE your methods and secrets in the open in return for protection from the government. So who's being anticapitalist now? The very tennants of innovation in capitalism are strongly tied to having people share information. The anti-capitalist yahoo's of whom you speak simply have a much broader, more historically acturate understanding of the balance between technological progress and motivation to innovate. I'm not against selling stuff, I'm not against capitalism, I'm simply suggesting that once the fear dies down in a decade or so, and code itself becomes more commoditized, it will be in the interest of those who wanna make a shit load of money to patent software based on the source, not a description of what the thing does.

      Look at early patents; its not what you can do, its HOW you do it. Its the means, not the end. Nobody could patent the generation of electricity; only METHODs for generating electriciy. I predict that at the rate of current software patent filing, litigation will become too expensive for the market versus the costs of opening up source in order to protect your invention. I guess thats ironic, given people's fear of open source licenses.

      --
      "Old man yells at systemd"
  7. Too many packages? by slavemowgli · · Score: 5, Interesting

    It's just a random thought, but have the Debian people ever contemplated whether their problems in this regard may stem from the fact that they have too many packages? The package list for the latest stable lists an incredible 16834 individual packages, and even though there are many programs which come in different flavours and thus contribute as more than one package, this still is a huge number.

    I can certainly see why security management gets a problem here. Maybe the Debian project should cut down on these and see just how many packages are really needed.

    --
    quidquid latine dictum sit altum videtur.
    1. Re:Too many packages? by Chmarr · · Score: 5, Funny

      Well, it works for the OpenBSD people... OpenBSD is the most secure system out of the box because the box is really small, and it's hard to get it open :)

      My karma is now really, really shot.

    2. Re:Too many packages? by lakeland · · Score: 4, Insightful

      Consider a situation where a server has been set up and is running well in a company. That server has been working for several years, and while it may not have whiz-bang features, it keeps working every day just as well as it did the day before -- nothing ever breaks.

      Now, if a security issue is discovered in a package running on that machine, they do not want to upgrade to the latest release because they would worry about what it changes -- they want that one issue fixed and everything else to continue the same as before. Debian Stable is designed for people like this, the joke at the end of your post was actually close to the truth -- people really do want debian stable to be stable feature wise.

      Consider another situation, where somebody wants a fairly reliable and a fairly up-to-date server. When a bug is discovered, and especially security-related bugs, they'd like an updated package. On the other hand, they don't want to be sent the latest buggy software, they'd like it restricted to software that appears pretty stable. Debian Testing is designed for people like this.

      It sounds from your post that you cannot imagine people preferring a quirky, somewhat old, consistant distro over one kept up to date with bug fixes. I assure you that there is a large market for the stable distro, but if you are not in that market, there are plenty of others available.

    3. Re:Too many packages? by cperciva · · Score: 4, Informative

      Is FreeBSD having the same problems, or are they handling the situation, or are they just ignoring it?

      The FreeBSD base system is supported quite well, although we have had occasional manpower problems (e.g., when one member of the security team is travelling around Japan on work, one member is writing his doctoral thesis, another member is job-hunting, et cetera).

      The FreeBSD ports tree is supported on a "best effort" basis -- we make no guarantees, but we do our best.

      --
      Tarsnap: Online backups for the truly paranoid
  8. Security support is ill-suited to open source by cperciva · · Score: 4, Insightful

    Woah! Wait a moment before you start flaming me on the basis of my subject line...

    The problem of providing security support is ill-suited to being solved by the traditional "mob of volunteers" approach which describes most open source development. When you're doing development, it doesn't matter if you have five people coding one week and nobody doing any coding the next week; but when it comes to dealing with a constant stream of security issues which are being reported (in particular, from upstream vendors), it is important to guarantee that there will be someone around to deal with them. When the entire security team consists of people who have other full-time jobs, it's impossible to make sure that someone will be around when they are needed.

    The job of "security officer" is really one which should be a job, not a role-played-by-a-volunteer. Go out and raise some money to pay for your security officer, so that he is able to always be available when he is needed, because if he needs to get some other job to support himself, he won't be around when you need him.

    --
    Tarsnap: Online backups for the truly paranoid
  9. Re:Close: Switch to OS X by cwalker · · Score: 3, Informative

    I thought that this sub-thread was so stupid that it was not worthy of a response but this list of incredible flaws in Linux that are supposedly fixed in OS X or Windows is so ridiculous, I just had to respond.
    1. More secure? Not true. All Operating Systems have problems, closed sources Operating Systems have more problems than others becuase there are fewer people viewing and fixing the bugs and other problems. An Operating System's security depends greatly on the configuration and administration not that is is created or modified by a certain company.
    2. Not true either. Speed depends on configuration and administration. Mac's are tuned for certain things where Linux can be tuned in any cofiguration you so desire.
    3. More advanced or aged only because it is running a version of FreeBSD which is so close to linux how can you call it anything but *NIX?
    4. Built for idiots that rather the computer maintain control. I, on the otherhand, like to control my computer.
    5. Linux is backed by many successful companies such as IBM, Novell, Redhat, etc., etc as well as a world of seasoned programmers.
    6. See above. Open source programming does not mean amateurs. Most of the open source programmers are seasoned vets that work full time for large companies.
    7. Most of OS X is open source because it is Free BSD. Note the "Free" part of that. (see http://www.freebsd.org/copyright/copyright.html)
    7. (you probably meant 8 right?) See above statements. OS X is mostly FreeBSD which means they do not own the code. The GUI, they own, but so what. The kernel is still UNIX!

    If the list goes on I would like to see it because this preliminary list is bogus.

    --
    Caleb Walker
  10. Re:Let it go Louie by say · · Score: 4, Insightful

    Bullshit. All the technically sweet linux distributions out there which use apt are more or less resting on debian's shoulders. If you watch the security changelogs - or the regular changelogs - of ubuntu packages, you'll see that nine out of ten get made by debian, adapted to ubuntu and thrown to the ubuntu servers. Some are just renamed to "-ubuntu" and passed on. And a very few are actually maintained by ubuntu themselves.

    We can't move on. Much of the linux community depends on a well-functioning debian organization. They are lacking man-power to keep their security updates as fast as the multi-employee-distributions. That doesn't mean they're technically behind, and that we have something better to move to. Although the commercial distros would love that.

    --
    Roses are #FF0000, violets are #0000FF, all my base are belong to you
  11. A lot of assumptions for a page and a half article by atokata · · Score: 4, Insightful

    The article didn't go quite as in depth as I would have liked. Specifically, the Debian apt repositories have literally, and you may quote me, zillions* of packages. I'm fairly certain they have quite a few more than, say, Red Hat has binary packages in their repositories.

    Therefore, it would follow that if 4% of Debian packages had security vulnerabilities that would equate to a substantially greater number of packages than would the same 4% of Red Hat packages.

    The other important thing to keep in mind is that it's unlikely many users would install all zillion packages at one time.

    Finally, the article implies Debian and Red Hat are in competition. However, as literate geeks will know, Debian is the OS of "Software in the Public Interest" http://www.spi-inc.org/about which is a non-profit entity. Therefore, while one could argue that Red Hat (a for-profit enterprise) and Debian are in competition for userbase, by no means are they in direct competition for 'business'.



    *Debian website says "over 15490." Which begs the question, how many more than 15490? 15491?

  12. parent Flamebait by Britz · · Score: 3, Insightful

    Parent post is a flamebait and I wonder what moderators are smoking today.
    Debian is much more than a distribution. And there is unfortunately nothing better than Debian (as in the distro) to move on to. There is a reason why many distributions are build on Debian.
    Please point me to a distro that can manage version upgrades even half as gracefully as Debian.
    There was a discussion about Ubuntu on Slashdot and it was argued that if Ubuntu continues to be diverge further from sid and stay incompatible it will eventually dissolve, because the team will never be able to support the huge package base.

    I am a desktop Linux user that started out with Debian 2.1 Slink and I also have the feeling that Debian has had some major issues lately.

    About the security issue:
    Heise security published it first 10 days ago:
    http://www.heise.de/newsticker/meldung/61076

    As a result of this a discussion on the Debian security mailing list ensued:
    http://lists.debian.org/debian-security/2005/06/ms g00142.html

    Heise Online then reported on that as a result of that discussion:
    http://www.heise.de/newsticker/meldung/61125

    For those that can't read German the article says that of the five members that should make up the security team four are not active at the moment if they ever were. The only remain one is Martin Schulze aka Joey. He has been pretty busy with the organisation of the Linuxtag. So he was cut off from the action. Debian people are working on the problem.

    Everyone that is not satiesfied with the current state of affairs should get their hand dirty helping instead of complaining. After all Debian forms the bases of "plenty of well-managed, technically sweet linux distributions out there".

    Like Knoppis, Ubuntu or Xandros. Full list here:
    http://www.debian.org/misc/children-distros

  13. Here's why your wrong by bogie · · Score: 4, Insightful

    "When the entire security team consists of people who have other full-time jobs, it's impossible to make sure that someone will be around when they are needed."

    Your wrongly basing your entire arguement on the idea that OSS programmer(s)=loner(s) with other "real" jobs. That is simply not the case for many OSS projects. Commercial OSS companies like Red Hat, Suse/Novell, et al are and have been the driving force in OSS for some time now. Look at any big distro, any major software project etc and at this point chances are they are being bankrolled and supported by commercial copanies that are paying people to work on them and deal with things like security issues. And if a popular project has a security flaw that an author won't address, and distros won't fix because its not part of their distro...well you know the deal, use the source luke.

    I see what your trying to say but again your arguement is flawed as "traditional" OSS development no longer means unpaid and non-commercial. I don't think that the people buying Red Hat linux and getting security support for years and years would share the same viewpoint. And I also don't think that commercial companies put more into security than OSS programmers do. History just doesn't show that.

    For version .002 for widget X that isn't widely used and gets abandoned for lack of interest and now has a security issue, how is that different than in the commercial world? At least with OSS someone/anyone can fix the problem. With commercial software you literally have to stop using the software because no fix will ever come.

    OSS is particulary well suited to dealing with security issues IMHO and the problems it has with security are more or less the same problems that commercial software makers face. Your floating down a well known river in Egypt if you think that in the commercial world all projects have people who are paid to soley to work on security.

    --
    If you wanna get rich, you know that payback is a bitch
  14. Zdnet: do some fact checking next time by joey · · Score: 3, Informative

    I think it's indicative of the quality of this zdnet article that it attributes a page I maintain to Martin Schulze. More details in my blog entry, here:

    http://kitenet.net/~joey/blog/entry/secfud-2005-07 -06-11-28.html

    --
    see shy jo