Slashdot Mirror
Debian Addresses Security Problems
An anonymous reader writes "After suffering manpower shortages and other issues, Debian says it has finally addressed concerns that it was falling behind on security. Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures. It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said. Debian initial security problems can be found in this earlier Slashdot posting."
I thought debian had over 1000 developers. Don't any of them do security?
GETPKG - Package Management for Slackware
Because before, Debian was in serious danger of falling behind Windows on the security front.
Note to mods: I'm probably being sarcastic.
PROOF that Slashdot submitters have access to previous stories!
Who knew, dupes really aren't necessary after all.
All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
I work for a large organisation that uses debian exclusively, and we haven't had any security problems whatsoe... CLICK HERE TO BUY V1AGR4!!!
Lick me if i'm wrong- but aren't security problems good? I mean, I thought a completely insecure OS led to a monopoly and you becoming the richest man in the world.....
Why are they trying to fix the security issues? don't they know it is bad business?
All you nipple are belong to us
If you like Slackware, and if you've ever tried FreeBSD and seen the BSD "ports collection" system of installing stuff, then you'll probably love Gentoo. I used to be a die-hard Slackware user but use SuSE now since it's too easy and convenient and I've gotten lazy WRT keeping my Linux machines updated... SuSE's Yast Online Update takes all the work out of it.
Genuine interest here as I'm about to upgrade a Debian server from Woody to Sarge this weekend. What sort of issues have you run into?
Cheers,
Ian
Free software is free for you to use, not free to develope.
Software engineers need to put food on the table, so they have to get a real job when there isn't any corporate sponsorship. So now after you take out the time from their busy schedules to survive, there's not a whole lot left for a life and helping develope your free software.
Now instead of a stream-lined process where coders can churn out results, you're left with only a little bit of support from those people, sometimes they get burnt out and take a break, other times they lose all their free time and stop supporting the software. That's when you see things bog down and the need to get more people on board and all the other problems that cascade from the lack of free time.
Wow, a helpful slashdot post, who would have guessed?
Thank you very much.
I've had it running as a webserver/nagios server for the past 3-4 months, first as Sarge was still in testing, and now as stable, and it has not failed me yet. The only time I've had to reboot or anything was when we moved the server to our new rack (not a debian issue). I've not run into any packaging problems, and as for security, it seems pretty solid.
/etc).
I know it's an old discussion, but I suppose you should ask yourself what you want to run it as. As a workstation, I think sarge is a great step forward for debian; however I don't think it doesn't quite fit the needs of most workstations. But that's because it's strength is as a solid server, where updates are minimal and configuration doesn't necessarily mean a GUI.
I love debian for it's consistency and ease of configuration (once you get a feel for the way packages are configured in
I'd definitely say give it a go, if only to see the improvements from woody.
Now let's hope they won't stop there, and make a revamp of the whole Debian process.
Debian needs to react to what's happening around it, and into it. Because we NEED Debian, much more than any other distro.
If Debian happened to die, what choices would we have ? commercial distros, or distros based on commercial ones. That would suck big time. I don't even use Linux on the destop personally, I mostly use it at work on servers now. But i know i sleep better at night knowing that a thing such as Debian exists. It makes the world a better place.
is that they make you jump through many loops before allowing you to help them. I have several pieces of software that I wanted to contribute to Debian, so I figured I might as well be the maintainer for them. I gave up eventually, because it's just too damn bothersome, and another Debian maintainer took my .debs over for me.
IMHO, that's why they have a shortage of manpower, because it's just not easy enough for people to jump in and help.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I haven't done any upgrades from Woody to Sarge. We did it on a test machine 2 weeks ago & consensus was that Woody would stay for some more time till issues are sorted out with Sarge.
A less obvious but perhaps more frequent problem is where security problems are discovered and announced in upstream packages, but the information doesn't flow down to all the distributions. There's no formalised or automated mechanism by which distribution security teams get alerted to relevant upstream security fixes. You might get duscussion of the problem on a mailing list which is specific to the upstream package, but the Debian Security team can't be expected to subscribe to all those lists.
Similarly though, you can't rely on upstream maintainers reliably notifying 19 (or however many) distribution security contacts for each security-relevant release. In the specific case of Debian, this sort of thing is the Debian package maitainer's responsibility. However, there are thousands of Debian packages; some of the maintainers are very responsive and some are less so. Even the responsive ones go on vacation sometimes.
I'm an upstream maintainer. I'm pretty sure that for some of the distrubutions, nobody has subscribed to the mailing list where security problems would be announced (bug-whatever@gnu.org). In this particular exmaple, Debian isn't one of them - the Debian maintainer in this specific case is very active.
However, having a single point where Linux-relevant security announcements could go would be useful. BUGTRAQ simply isn't it (partly because its mailing list software is somewhat broken, also because of the noise level due to broken out-of-office response programs, and because solving this problem isn't the goal of that mailing list). That way, at least the Debian Security team - among others - could count on being notified reliably about known problems.
Of course then you still have a workload for the security team of analysing problems, deciding on responses and preparing NMUs. That may indeed require more people - I'm not claiming that an aggregated feed of upstream security concerns and fixes solves the whole problem.
Well, my DSL-Router/Firewall/Printerserver/Fileserver is running Debian. And doing so for 2 years without much trouble/attention and barely a reboot. I don't even have a keyboard or monitor attached to it. And it's running the "unstable" branch.
Granted, Debian is not really for the Desktop weenies. But my desktop is OS X. So no problem with that.
Just because I can imagine doing a hippopotamus, doesn't mean I'd like to do it.
I think one of the main problems for debian stems from the use of .debs. Sure, they are still superior in a fews ways to rpms, but rpm has by and large caught up since rpm v3 and certainly rpm v4,
.spec file is really discouraging for developers wanting to package their stuff up for debian.
/usr/src/debian/RPMS ...
The baroque complexity of the debian/ subdirectory and build processes compared to an rpm
Similarly, while apt trailblazed decent dependency handling, the latest versions of yum are catching up and, extremely importantly, it is far simpler to set up a yum repository than an apt one - so third party developers can very simply set up a website with a small repository and manage it themselves.
There'd be initial massive outcry I guess, but if Debian were to just adopt rpm, life would become much simpler.
I found Branden's Debian Project Leader Report to be more informative. Although, at least zdnet had the courtesy to link to it in their so-called article.
Since it's based on Debian, is Xandros also affected by the security issues?
My Tech Posts on Twitter
looks like the new leadership does some good moves
let's see how it develops...
Alexan
Cytopia - Psytrance Music downloads
Arch uses a "rolling release" schedule so use the builtin package manager to upgrade and bam! your current. The package manager even resolves dependencies!
Holy crap, I didn't realize Slack had become so modern! And just to think that I'm stuck with dpkg and apt, that can't resolve dependencies and automatically upgrade your box...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
i have one server thats running sendmail rather than the debian standard exim and both aptitude dist-upgrade (the reccomended upgrade method) and apt-get dist-upgrade wanted to remove it even after i manually upgraded it to the sarge version first.
i ended up using apt-get upgrade to upgrade the bulk of the system then upgrading a load of stuff manually with apt-get install and then finally finishing the job with apt-get dist-upgrade
mind you red hat basically tell you too take the system offline and use the installer to upgrade which i find even less desirable than giving apt a bit of assistance with the upgrade process.
before upgrading read the release notes as they document other issues you could run into if you don't take care. but DO NOT follow those instructions blindly always check what apt-get or aptitude plans to remove before saying yes.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
I use slackware, myself, although I was thinking of giving Debian Sarge a try
Depends on what you're trying to achieve. If you are running a server, especially one that is exposed to the internet or a large number of users (e.g. web server), Debian stable is really great. Especially with the ability to setup automatic updates; you can set it up, and not have to really touch it for another 2-3 years.
If on the other hand you are using it for a desktop, development, or "tinkering" machine, Debian unstable or some other distro would probably be a better choice.
#!/
I used Slack before I switched to Debian, and never looked back. I don't know your reasons for using Slackware, but for me it was that I like to be in control and not clutter my system with useless stuff. Debian allows you a lot of flexibility, but its package management system (which I honestly believe is the best in the world) makes everything a lot easier.
;-) )
You can have a very basic installation for about 100 MB. I personally think that's already a bit heavy, but it's definitely better than a lot of other distros. From there, you can get almost everything you care to mention, just by runnig apt-get install package-name. Dependencies are all taken care of automatically. You can customize how many questions you are asked during installation, from no questions to lots of options (and you can always re-run the configuration questions later).
In terms of quality, you can hardly go wrong with Debian. Everything is tested and tested again before it goes into stable (which is why there are such long times between releases), but even the packages in unstable tend to work just fine. I'd say unstable is about as up to date as Slackware-current, so if that's what you like, Debian can give it to you too.
Upgrading from one version of Debian to another is as simple as setting the right apt-repository and running apt-get update && apt-get dist-upgrade.
I don't know what more to say. Just try it for yourself.
(And for those who think I'm a Debian zealot: it's worse than that. I use OpenBSD at home.
Please correct me if I got my facts wrong.
My mail server broke. I run postfix and need TLS to communicate with my upstream ISP. (My own IP is scorched earth it seems.) I didn't notice the bustage until a user complained. The bug appears to be 307780.
... to know is:
Why the hell are slashdotters trusting news about Debian from friggen zdnet? And a blog on zdnet to boot!
I mean... c'mon... it's zdnet... with about as much credibility as The Star.
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
Check that all rare and/or important packages you use on Woody are also available as stable or testing in the new OS version.
I expected more (it's not that much friendlier/different from Woody and some packages just aren't available) and am migrating this Sarge server to CentOS 4.1 after I complete CentOS tests.
I'm a long time Slack user (especially for servers) and every time I've tried another distro, I've always found myself switching back to Slackware. Nothing against Debian though. apt-get was nice but I've always been happy with swaret. I've also always been a big fan of Slack's rc files (probably due to me being a BSD fan). I've also had great luck with stability on Slack (2+ years uptime on one of my servers). I always found it fun to try something different every once in a while, but personally I would stay with Slack. As they say: If it ain't broke, don't fix it.
Just my 2 cents...
Slackware
I like Sarge, but I've never used Slack. I've used it for about a year now. apt-get really is a great bit of software. Packages are designed to install and configure themselves intelligently, if not optimally. As long as you're not a pansy about typing into the command line, everything just works. But you can still tweak/install from source if you'd like. The default installation is not as slim as I'd like -- it weighs in at about 350 MB if you don't select any packages other than those "required" by the system. You can trim it if you'd like.
/., it's terrific. lists.debian.org is a great resource. Smart questions are usually answered by curteous developers/users within an hour.
Regardless of the reputation the community has on
Enough raving about debian. Having never tried Slack, I can't say how they compare, but I think it's clear I'd recommend Sarge.
After all, I am strangely colored.
Debian was my first GNU/Linux distribution. 1.3 was the stable at the time, but I ran the 2.0 unstable canidate. For a while I've used others... but I always come back to Debian. The Debian Security Team is a big part of the reason. The comunity nature of Debian, and the history of Debian represent a real important part of the Free Software comunity.
Security is often a thankless job. People only care once something goes wrong. They don't see all the work it takes to coordinate timely security responce. It should also be noted that Debian takes a proactive approach to security with the Debian Security Audit Team.
Debian lost a lot of its reputation with the delays for the current stable release. I think the future of Debian, if its to keep its reputation, will be to move to a standard release cycle of once every 2 years. Sure the Debian releases are few and far between compared to other distributions, but Debian is about software Freedom, not bleading edge technology. It provides a solid and secure OS, and most system administrators don't want to roll out a new version of an OS every 2 years, in fact, most would rather keep running an OS as long as there are security updates.
There are certainly a lot of challanges for Debian right now, hopefully the "Security Issue" goes away with this change.
http://www.advogato.org/person/vorlon/
I've always wondered who these people were... I know that Linus was in college when he developed Linux, and that RMS actually was receiving money for sales of emacs when we first started... but who are the rest of the free software developers? Are they all academics? Corporate wageslaves like the rest of us whose company pays them to develop software and release it to the world? Are they mostly retirees? Independently wealthy? I'd love to contribute back to the OSS world, but other than a bug fix here and there, I've never been able to find the time (what with the mandatory 70 hour workweeks and all...). I've always wondered how they do it... do these people ever sleep?
I did it, I did it on purpose and I'd do it again.
Debian is far from becoming irrelevant. Where did Knoppix start? Xandros? Ubuntu?
These and many other distros can be seen, under the right light, as branches on a Debian trunk. I feel fairly confident in saying that no other distro could provide a sufficiently robust and broad base upon which to build.
Ubuntu and company can do as they please. Some may, eventually, cease to be recognizable as Debian-based, but that will take a very long while.
In the meantime, Debian will continue to be an example of how large-scale projects should be run. After all, Debian has been around a long time; and in that time they have managed to build up what is arguably the largest repository of software the community has. They've also managed to support a considerable number of architectures and they've done it all quite well IMHO.
Push the envelope. Watch it bend. -Tool
When people talk of Free Software, at least on Slashdot and other technical communities, they are usually referring to the freedom to do whatever you want with the code. They are not usually referring to the price.
Free speech, not free beer.
I'll probably be modded down for this...
That's entirely the problem. Debian has a zillion packages but has trouble releasing due to everyone's pet project, be it a pet architecture or a pet library or whatever. Not enough people want to put together a coherent distribution, they just want their little feature taken care of. Witness the number of people working on core pieces of Debian like apt, dpkg, aptitude, etc in comparison to the total number of Debian developers.
"I may not have morals, but I have standards."
Well, first off, they find employers who don't mandate 70 hour workweeks....
Personally, I think any employer who demands a 70 hour workweek of programmers, but is not a programmer working 70 hour weeks him/herself ought to be taken out to the county courthouse and strung up.
SIGSEGV caught, terminating
wait... not that kind of sig.
Why is this modded OT? Someone's on crack around here.
I don't moderate anymore. Karma penalty for 90% fair mods? Can I mod that unfair?
you are confusing free as in $0, with free as in freedom.
According to the Free Software Foundation, this includes:
* freedom to run the program
* freedom to study and modify the program
* freedom to copy the program
* freedom to improve the program, and release your improvements to the public
so Free software is free(dom) to develop as well as use, but yes programers do have to eat.
ohh is it lunch time already?
--meh--
http://lists.debian.org/debian-amd64/2005/07/msg00 100.html
Still waiting for the AMD64 security packages to show up a security.debian.org and not have to use the "sarge-proposed-updates" that Brandon warns against.
Aren't they the organization that was obsoleted by Ubuntu?
<ducks>
Protect your browser with the Force Safe Search add-on
Well, it helps that most of what the rest of the world considers worthy expenditure of free time is exactly the kind of thing hackers "detest and avoid". http://www.catb.org/~esr/jargon/
Watch the Superbowl? There's 6+ hours you could have had at least your own text editor right there. Watch TV at all? That's costing you a whole operating system per year. Carry a cell phone? I did the math once and figured out that I have added the effective 15 years to my life I lost from smoking by not carrying a cell phone. Little things like that add up, you cut corners...
And yeah, you may work 70 hour weeks, but only for short stretches so you can pile away the money, take some time off, and work on your own again...
That's okay. Got 'em in Meta-Mod.
I see even classic Slashdot is now pretty much unusable on dial up anymore.