Slashdot Mirror
Debian Refuses To Push Timezone Update For NZ DST
Jasper Bryant-Greene writes "Although a tzdata release that includes New Zealand's recent DST changes (2007f) has been out for some time, Debian are refusing to push the update from testing into the current stable distribution, codenamed Etch, on the basis that 'it's not a security bug.' This means that unless New Zealand sysadmins install the package manually, pull the package from testing, or alter the timezone to 'GMT-13' manually, all systems running Debian Etch in New Zealand currently have the incorrect time, as DST went into effect this morning. As one of the last comments in the bug report says, 'even Microsoft are not this silly.' The final comment (at this writing), from madcoder, says 'The package sits in volatile for months. Please take your troll elsewhere.'"
Assuming there are, or even the possibility that one could be crafted, it seems quite justifiable to call this a security fix. And aside from that, it's just dumb not to include it.
... maybe it just isn't time.
They've taken a perfectly good distribution and absolutely destroyed its reputation thanks to their management's ineptitude.
Some systems may rely on the "wrong" timezone for their continued operation, so if it is indeed not a security update, and the policy for automatic updates is "security only", then not pushing the update is correct. If you need the timezone update, get it. It's not like they hide it from you.
They haven't rolled out a patch for OSX either. There are several folks on Apple in NZ who are just as disappointed.
Meanwhile, Microsoft rolled out a patch on Windows Update - Microsoft users on Automatic Updates rolled over without even knowing anything had changed.
i would imagine anyone in New Zealand smart enough to install Debian is also smart enough to fix this manually...
Politics is Treachery, Religion is Brainwashing
adoption. While it is probably not that serious of an issue it provides Linux' competitors with yet another thing to point out as a "flaw" - they can't even be bothered to make sure a computer has the correct timestamp - do you want to depend on the whims of a volunteer to ensure your computer's data is accurately time stamped? And when you press the issue you get accused of being the problem - would you accept taht from any other vendor?
Would you want to be in litigation over how a chain of events occured, only to discover your descktop had been patched in the midst of an exchange that is critical to your defenses; only to discover the email you sent / file you modified in response to an event now shows you did it before the event?
I'm a consultant - I convert gibberish into cash-flow.
In my opinion, Debian did the right thing here.
This update is not security-related, so has no business being in the security update section. That's perfectly OK - Debian's security updates are completely safe to apply 99% of the time, because they do not change functionality. They only fix security bugs. Unlike Microsoft, Debian are not in the practice of shipping automatic updates that change functionality.
The update has been posted to the volatile repository, which is intended for things that change frequently, like timezone data. It can be installed from there right now - any of these people complaining could have simply installed the patch at any time over the past several months. The update has also been pushed to the updates repository, for inclusion in the next point release of Etch.
I don't see the problem here.
..you can bet it would have been pushed through.
This is the almost the exact reason why I dropped Debian. My experiences (and of course YMMV) with dealing with the Debian community, especially on their official IRC and through the mailing lists, have been one of dealing with arrogance and a mindset that "if you can't figure out x, you are obviously too stupid for us to waste our time with you". They will tell you to RTFM and figure it out yourself" rather than even help you get started in the right direction, even if you explain to them that you already have RTFM'd and it doesn't solve any of your problems.
Personally I dropped debian back in 2001. Their release-policy is completely insane. Not only when it comes to this drivel, but also when it comes to other stuff. Their 'stable' releases was so out of date that they were worthless, and their unstable releases was quite frankly way too unstable to use in production.
// disgusted ex.debian admin
Although their release-pace has picked up, it seems that their stable releases are still having the same kind of inane problems as back then. I especially like Vernon Schryvers rants about Debian and their version of DCC, which should illustrate the problem:
http://www.rhyolite.com/pipermail/dcc/2007/003468.html
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/643e0dda1dc20873/bfb14f7b095cd972?hl=en&lnk=st&q=dcc+debian+old+%22vernon+schryver%22&rnum=1#bfb14f7b095cd972
http://groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/602cb3d3677eacab/6e0f03195e004340?hl=en&lnk=st&q=dcc+debian+old+%22vernon+schryver%22&rnum=2#6e0f03195e004340
Debian is outright abusive towards DCC and other services. First they package and release software with old, outdated configurations - making sure that wrong servers get a lot of invalid traffic, then they refuse to fix it.
Now they refuse to fix timezone issues - and thousands of admins are stuck unless they give up running 'stable'.
Admins should stay well clear of Debian itself. It's a arrogant developers-only distribution. One should rather go for one of the several debian-based systems, or maybe an entirely different distribution - if one wants a real product.
And Debian is the plural for what...?
By the way, what are a Debian?
Fata viam invenient.
Who'd have thunk in? This is why Debian is used as a base for the infinitely more popular distributions. The model is good, but the final product is lacking due to silly politics.
Debian have promised their users that only security updates will be rolled out and that they will not release any updates that change the normal behavior of programs. They do this because Debian gets run on lots of mission-critical servers where they don't want a program changing its behavior via an "update".
Rolling clocks forward by two hours is a pretty huge change in behavior for some servers, and there isn't much of a security risk in not rolling out the update automatically, so they're not going to.
They're doing the right thing.
Note that even 2007g is out since August this year, including timezone updates for Egypt and Australia.
What the AC said. As a matter of principle, pushing non-security "security" updates that change functionality is asking for trouble. The updated time zone package has been available for months, a national time zone change should be common knowledge, and anyone in NZ who has not yet installed it is ignorant, or negligent, or both. This article submission is indeed a troll.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
'even Microsoft are not this silly.' -- yeah, and they manage to break systems by applying service packs.... what a comparison! hehe.
As the person who did the latest timzeone updates to RELENG_5, RELENG_6 and HEAD (but not to the security-only branches RELENG_5_5 and RELENG_6_2) I say: They're right.
As the person who maintains the misc/zoneinfo port I say: They're right.
bash$
Another problem: in etch, /etc/localtime is not a symlink to the appropriate timezone file in /usr/share/zoneinfo, but a copy - a regular file. You would think this wouldn't matter, but for tomcat apps it does. Whether that's a bug in tomcat, java, or debian doesn't really matter, the only fix is to replace the file with a symlink.
In any case, I vote for giving this package a new maintainer who doesn't have his head up his ass.
A great post covering the response to the NZ Daylight Savings change by the various vendors posted on the excellent 'geekzone' website :
http://www.geekzone.co.nz/freitasm/3856
This demonstrates how committed vendors are to smaller markets.
Keep in mind that this conversation is from a subset of the Debian developers, the glibc team/group. They are correct in saying that this is not a security fix, and that's not how they planned on releasing the update. Its clear from this statement "It will go through etch/updates when the new point release will be issued, andwe missed the previous window because the bug was open a few days before the last release, and it couldn't make it sorry. So we pushed it in any other place we have access to, namely backports.org and volatile.debian.org (the latter is designed to fulfill updates of volatile packages, _LIKE_ timezone datas)." That the normal method of updating wasn't an option before the change took effect because the team missed the deadline. The wrong part of this that the patch for handling this change was completed at the of July and yet the Debian team was unable to get it into the normal release flow. Strangely enough the folks at Ubuntu seem to have gotten this handled much more rapidly, "2007f-0ubuntu0.6.10 Published in edgy-updates on 2007-08-03, Published in edgy-proposed on 2007-07-27".
To the people who want the time zone change, just patch the timezone files by hand and compile new tz files.
Any UNIX system solved the timezone change problem years ago - and this is why ANY of the Unixes
abolish DST! It was silly in the early 1900s when the majority of workers worked in factories, mills, or on farms. It's sillier in 2007. Get rid of that stupidity once and for all.
... to allow Debian warships back in their ports.
Don't trust anyone under thirty.
It's in volatile repository.
Volatile is specificly designed to take into account things like this. It's for updates to packages, like anti-virus software, and similar things that change over time.
Nobody actually reads the fucking articles do they? The guy that posted the article is a troll and selectively took quotes out of context.
What SlashDot says:
"Although a tzdata release that includes New Zealand's recent DST changes (2007f) has been out for some time, Debian are refusing to push the update from testing into the current stable distribution, codenamed Etch, on the basis that 'it's not a security bug.' This means that unless New Zealand sysadmins install the package manually, pull the package from testing, or alter the timezone to 'GMT-13' manually, all systems running Debian Etch in New Zealand currently have the incorrect time, as DST went into effect this morning. As one of the last comments in the bug report says, 'even Microsoft are not this silly.' The final comment (at this writing), from madcoder, says 'The package sits in volatile for months. Please take your troll elsewhere.'"
What is actually in the Bug Report:
----SNIP----
The fix is already in the volatile archive (see
http://volatile.debian.org/ in the etch-proposed-update archive and it
will also appear in the next release of etch. Alternatively you can also
download the new version by hand and use dpkg -i.
----SNIP----
ALSO:
----SNIP----
>>> I would recommend re-opening this bug and upgrading its severity until the fix has been
>>> applied.
>> That won't change anything as it is now out of control of the glibc team.
>>
>
> And these mission-critical updates aren't put into security, why?
>
Because it's not a security bug.
----SNIP----
NO SHIT. It's _not_ a security bug. Why should the Debian Security team be forced to deal with something that is not security? Think about it for a whole two seconds.
The tzdata was updated a long time ago and is in a Debian repository that is specificly setup to deal with changes like this.
The person who filed the bug report doesn't like this and thinks that the package should be in the security fix repository.
It's fucking stupid. It's not a security bug. The package has been fixed for a long time. It doesn't have to be installed manually. It CAN be installed manually.
Get a grip people.
...is daylight savings time.
More than 60,000 Windows programs won't run on Linux.
> The final comment (at this writing), from madcoder, says 'The package sits in volatile
> for months. Please take your troll elsewhere.'"
He's right. That is exactly what volatile is for.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
this article is about? It's about a sysadmin who's blaming Debian for not doing her job?
As it's clearly pointed out in the bug report, this package:
1) Has not a security bug, so does not belong to security-updates.
2) Was in volatile for a long time.
3) Is scheduled for the next release of etch.
debian-volatile is a repository for this type of packages (as virus lists, tzdata, et alter) that has information/data changes/updates often. If your time zone has changed or it's about to change, it's your responsability as a sysadmin to upgrade the packages, not Debian's. There were not a bug in tzdata.
Debian is one of the best distros out there, please contribute to make it even better by filling bug reports, but please take a minute to think about what you are doing, and read carefully the developers/mantainers posts or replys, because most of the time they're right.
Linux is really for command-line hackers only... setting the time zone manually... pft. what a disgrace for the IT world... :p
but it's not a flaw. If you have a 1/16th of a brain you can and probably installed it from the Volatile already. Linux users are WAY WAY more savvy than a windows user. they tend to understand how to install software, patches, and how their system runs. If any sysadmins in NZ did not start testing the patch months or even weeks ago, then it's their fault waiting for the magical debian faires to install it for them.
Everyone keeps trying to compare Linux to windows. It's not. Compare Solaris to Linux.
Do not look at laser with remaining good eye.
Updating your timezone data for daylight savings changes....
The last posting in the bug report nailed it. Too many politics involved with Debian. The whole "ice weasel" episode was enough warning that they've got a Bush in their White House.
I have this funny feeling that everyone who self righteously declare unto the unwashed masses why Debian should not push it out are NOT in NZ. Right? RIGHT??
Or configure NTP.
1 command, really. Not sure why they're being so stubborn.
Peace sells, but who's buying?
.. install it manually, that is the job of the IT admin no?
http://www.rense.com/general79/wdx1.htm
This isn't an isolated incident either. You cannot browse Google Groups in Konqueror. In the bug report they legitimately argue that it's Google's fault for not adhering to standards, but they still lost me as a user, and undoubtedly others also. http://bugs.kde.org/show_bug.cgi?id=140531
From http://volatile.debian.org/: "debian-volatile will only contain changes to stable programs that are necessary to keep them functional".
Slashdot got trolled once again with a false story. Nothing unusual, and always deserved, but when it harms Debian's reputation in an area where it used to be at fault but now does the proper thing, it's just irritating.
God, root, what is difference ?
Can't we put the blame here where it belongs: on the idiots who keep foisting Daylight Saving Time nonsense on us? For god's sake, people, if you think there's some benefit in waking up at a different time of day, then change your freaking alarm time, not the time time.
I'm awake! The answer is BONK!
Look, if you want to troll you should put at least some effort into it. Things like extolling the virtues and innovation unleashed on the world by Microsoft will do, or why SCO has been wronged.
You know, boring stuff. You effort was, well, I think 'pathetic' is too good for it.
In Debian, FireFox is called "IceWeasel" because the _FireFox_ folks refuse to allow any patched version of FireFox to be called "FireFox". There is definitely silliness involved, but not on Debian's end. I do wish, however, that Debian picked a less geeky name than "IceWeasel" for their FireFox build.
but it's not a flaw. If you have a 1/16th of a brain you can and probably installed it from the Volatile already. Linux users are WAY WAY more savvy than a windows user. they tend to understand how to install software, patches, and how their system runs. If any sysadmins in NZ did not start testing the patch months or even weeks ago, then it's their fault waiting for the magical debian faires to install it for them.
Everyone keeps trying to compare Linux to windows. It's not. Compare Solaris to Linux.
Your last comment is the most telling - if you want to encourage wider adotion you need to address the perceptions of the broader user base you want to reach. Most users (and more importantly, those who make the buying decision) have little clue about Linux; let alone Solaris - but they are the ones who decide what to use.
It doesn't matter if the buyer is swayed by FUD or arguements with little relevance to reality- what matters is what final decision is reached. All too often, perception is reality.
I'm a consultant - I convert gibberish into cash-flow.
the real question is who do we blame this story on: kdawson or firehose?
When will gov stop messing around with time zones and DST? The WA gov in Australia are doing this too and it's a pain. I try and run all my stuff on UTC, but that's not acceptable for the user facing stuff.
Well, since there are no end users that use Debian, i guess their entire userbase are more then capable to just do the patch themselves, right?
..
No elitism here
( Yes this is sarcasm. Rather short sighted of the Debian crew )
---- Booth was a patriot ----
This is what usually happens when something Debian-policy-related happens and is touted as silly:
1. I think: How silly of them. Just like Debian to do something stubborn and annoying like that.
2. Then I read the argumentation, the policy that led them to the decision.
3. I find myself agreeing with the policy and thus accepting the decision as the Right Thing.
4. I find someone, usually in the Debian project itself, has come up with a solution for those who don't like the decision.
The more time passes, the more I like Debian. They have policies that are good and they stick to them. When the policy causes them to do something that people don't like, they provide a workaround. With Debian, you can have your cake and eat it. Exclusively free software? Check. Proprietary software when you do want it? Check. Stable system that stays the same for years? Check. Recent versions of packages when you want them? Check. Support in the package manager for mixing and matching? Check. Oh, and they had dependencies figured out and working well long before any other distro I'm aware of. Debian isn't perfect, but it comes frighteningly close sometimes.
Please correct me if I got my facts wrong.
Here's the relevant updates:
Fedora Core 5:
https://www.redhat.com/archives/fedora-package-announce/2007-June/msg00629.html - 2007f, pushed June 27
FC5 had already reached EOL when 2007g came out, so it didn't get that one, but 2007f is enough to fix this issue anyway, and besides all users should upgrade to a supported release.
Fedora Core 6:
https://www.redhat.com/archives/fedora-package-announce/2007-June/msg00543.html, pushed June 25
https://www.redhat.com/archives/fedora-package-announce/2007-August/msg00391.html - 2007g, pushed August 27
Fedora 7:
https://www.redhat.com/archives/fedora-package-announce/2007-July/msg00370.html - 2007f, pushed July 19
https://www.redhat.com/archives/fedora-package-announce/2007-August/msg00379.html - 2007g, pushed August 23
RHEL (all versions all the way down to 2.1!):
https://rhn.redhat.com/errata/RHEA-2007-0689.html - 2007f, pushed July 19
(2007g has not been pushed to RHEL, but 2007f is enough to fix the NZ issue.)
All these are in the regular updates repository which is enabled by default.
Good for Debian. I can't tell you how much of a pain in the ass timezone alterations are. The US one sucked big time. I wish more companies raised their middle finger to this shit. Talk about a waste of time, because it isn't as if most IT workers/organizations DON'T HAVE ENOUGH TO DO ALREADY. PLUS, if you are an international shop, knowing that some other country has legislated a timezone change could bite you. It's because of crap like this that I advise my customers to just run GMT.
Why is it stupid to do things the MS Way? Pretty simple really. Time Zones do change and Laptops change between several of them quite frequently. Now by setting the system clock to GMT, all time stamps are based upon the same TZ and no daylight savings time (remember this is called Internet Time) meaning you avoid all those issues while ensuring a legal timestamp on everything that needs it.
It's this reason that almost every *nix installer asks if your system clock is configured to GMT. If so, then you avoid these damn foolish issues unlike the poor MS admins who had to roll out the TZ patch in order to correctly sync their system clocks to local time instead of Internet Time as is the *nix standard. It's all part of the Extend/Embrace/Extinguish habits of MS and they love to create more work for the lawyers all the time; otherwise they would have followed the RFC on setting computer System Clocks to GMT or as the Military says ZULU TIME.
Mod me up/Mod me down: I wont frown as I've no crown
people replying to this story fall into one of two categories: people who understand the situation and realize this isn't in fact a story, but just a misunderstanding by the user involved and half the /. crowd of the way Debian works; and, people who think this is another example of volunteers happily trampling on the rights and sensibilities of the people their unpaid work benefits.
...welcome to the second group.
Near as I can tell, the US DST change went into tzdata2007d - so it's not in the one in stable either (unless I got the timeline wrong).
So - what did Debian do for that? If they left it in volatile, then the NZ guys haven't got anything to complain about, really - at least the Debian folks are consistent (in this scenario)
"Software is too expensive to build cheaply"
If the changes are necessary to be functional, why isn't the repository they are in enabled by default? It's entirely stupid to knowingly let programs break.
Silly Debian, they're not trolls, they're Hobbits!
That being said, this is stupid. Time Zones should "just work" no matter where you are. It's not volitile code, it's a line in a config file. Trust me, if one of the US states that doesn't fallow the national DST system were to change, you KNOW the update would be pushed up immediately.
This is discrimination driven by laziness (the worse kind IMHO).
Ready to be pushed out of the server room, where it cannot be trusted, and onto the desktop, like some dodgey mini-tower 'server' that has something wrong with it but is good enough for an intern to run Word on??
I'm not sayin', I'm just saying....
Microsoft says legacy (serial/parallel) ports are bad. They don't obfuscate the hardware enough.
What rubbish. New Zealand's technology industry is more significant to its citizens than the US technology industry is to Americans. As a small country, New Zealand's economy relies more on technological innovation than big countries do, with their natural resources and primary production. I'm not just talking about the famous examples (the electric fence, Rakon) either, but a constant push for more efficient and more valuable secondary production.
Or by significant did you mean significant to you and you alone? Who made you Captain of Industry?
Your guess about the few dozen people is also wrong. I, personally, just me, know a few dozen Kiwi Debian users, and I wouldn't say that's even close to the number that live in my suburb. Free software adoption is alive and well down under - it goes well with the 'number 8 wire' tinkering mentality that is a well-established part of New Zealand culture (Burt Munro and all that).
None of that is to say Debian should break policy - I agree that volatile is where these updates belong. But the arguments you give in favour of the status quo are bullshit.
=w=
Debian-stable is just too far out of date, so all of the Debian admins that I know run mixed stable/testing installations. (I can appreciate the desire to keep things within a release from breaking unnecessarily, but the Debian release engineering bureaucracy seems to take that sensibility to a ridiculous extreme.)
NTP does not deal with DST. It's sole purpose is to synchronize the machine clock with UTC.
DST is a presentation issue, and is handled solely by the Olsen tzdata database.
Time servers, Microsoft, and everyone else already have the system time clock set to universal time (GMT or Zulu for you), and all timestamps are recorded this way. TZ data is used to calculate the delta for the local time that is presented to users.
Debian has showed once again it is not meant for the regular user. Seems that they are happy to see a niche OS, and to be fair there is nothing wrong with that.
There is absolutely no way NTP can help with a timezone change.
Configuring NTP doesn't make an ounce of difference, because NTP uses UTC. The timezone (including DST) is applied later. In fact, on most Linux/Unix systems, irrespective of NTP, even the hardware clock is UTC, not local time (the exception is usually for dual booting with Windows).
Either you don't know much about Linux timekeeping, or you live in a +0000 timezone with no DST.
=w=
That won't address the issue at all. NTP makes sure the system clock is synchronized with UTC. The issue here is how much offset from UTC should be used for times that are displayed to users.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
NTP doesn't do time zones. At all. It operates solely in GMT, and it's up to the operating system (libc+tzdata in this case) to apply the offset when a program asks for the local time.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
The point of DST is just that, to conserve daylight, duh. It works because it takes electricity to light things, and since more people are awake at 6:00 PM than at 6:00 AM, you just "move the light around" to what's convenient for the majority of the populace. Less electricity means less expense, and more energy savings!
The problem is that this no longer makes sense thanks to air conditioning. Savings of light are offset by running air conditioners longer during the daylight times. Perhaps in places with lights but no air conditioning DST still makes sense but not really in developed nations.
"All great wisdom is contained in .signature files"
The whole FA is a big mis-understanding of what the various repositories are and what they purpose are.
More information about voltile, at the corresponding debian site.
Debian is quite popular among some admins because of this. You know, once you install debian on a server, that your installation will still get critical security fixes for the next 3-4 years. But nothing else will change a bit. 0% chance that an upgrade may break your configuration file. 0% risks that all the scripts that you manually wrote will suddenly stop functionning because of subtle differences between version 1.8.6.9 and 1.8.6.10 in some obscure software. (which are things that could occasionally happen with other distribution ) NO dependency hell once you start using updated software (like a 3rd party repository targeting a library version 2.0.9, but the distro having updated to 2.0.11. Very rarely it can happen between openSUSE and packman).
But as AC said in this thread, maybe the installation procedure of Debian should give
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
This is debian, and there is a simple command-line based solution. Debian isn't aimed at grannies or the average corporate joe. Its primary user base is geeks and sysadmins who need rock-solid systems. And it does a damn good job of that. It also servers as a great reference implementation for others (ubuntu, et al) to customise and optimise for more specific uses.
"I think it would be a good idea" Gandhi, on Western Civilisation
volatile is used for packages, who need frequent updates. clamav is managed this way an so are others. There is no need to use several paths to provide one and the same package.
cb
It seems to me that all this brouhaha is evidence that some change to Debian policies should be made.
The LEAPSECS mailing list has been discussing the issue of implementing leap seconds in UTC for seven years. There is rarely any consensus between those who want to abandon leap seconds and those who want to keep them. There is on occasion something to which there is not strong objection. Last year LEAPSECS fell silent at the suggestion that leap seconds should be announced five years in advance (instead of the current practice of 6 months and requirement of only 8 weeks). The point is that changing civil time in any fashion is extremely disruptive (see Hugo Chavez and Venezuela last week). If the international technical community would agree that five years of advance warning is required, then the local legislative and bureaucratic folks who modify daylight time might get the message. It's a dream.
I am one that does NOT want to encourage wider adoption and I agree with the Parent. If joe user that glazes over when you talk about drivers and partitions wants to use something different than windows, show him OSX. Linux is a high power complex operating system used for real computing tasks it is not an appliance for internet use or writing a report for the boss like windows is. I believe the high power OS's like solaris, unix and Linux need to stay as high end high power operating systems and leave the beginner level operating systems to the masses that dont have a clue.
you CAN make linux friendly for a newbie or low computer IQ person. but it takes a computer expert to do it and to maintain it. That is what companies do they are supposed to hire experts. (many hire MCSE's those cant even do basic stuff)
Honestly you have no clue. Sally in accounting cant configure a Microsoft server let alone her own workstation, why the hell do you expect her to be able to install and configure linux? your expectations are incredibly silly.
Linux is an advanced server operating system, an advanced workstation operating system and a high end embedded OS. it is not a Os for the feeble minded, the apathetic that want their computer to be an appliance, or the undereducated. it is for professionals that know what they are doing.
Honestly computers are complex, and any notions otherwise are completely silly.
Have they updated the default install to include volatile? Last I looked it had to be added manually and there wasn't a lot of documentation pointing to it. The only reason I knew about it was to fix clamav update problems.
If they're going to point to volatile then they should have been pointing to volatile all along. It should be part of the installer or get as much attention as security.
Now, in this case anyone who was interested has probably dealt with the problem so it is a bit of a non-story. My problem is everyone pointing to volatile as if Debian bothered to tell people about it.
NTP does not change your time zone.
It just fixes the UTC time, from which the local time is derived.
It doesn't "effect a few dozen people"; it "affects a few dozen people."
Learn the difference, please.
Misuse of "effect/affect" is one of my biggest semantic pet peeves.
To "effect" something is to bring it about or into being; to "affect" something is to have an influence on it.
"Other than that, Mrs. Lincoln, how was the play?"
This is the same response I got from Sun in 1997 when I was looking for a patch for one of their many widely documented and abused security holes at the time. I think the Debian guys need to rethink this one.
Mod parent up
The real issues are:
Stupid politicians buying the idea that it's easier to reset a billion clocks than to just get up an hour earlier.
Stupid politicians deciding that the stupid time changes can be improved enough by changing the dates they happen on that it will pay for the cost of changing.
Arizona has it right in refusing to do DST. (they have another good reason: who the hell wants more daylight when it's 110F out in the shade?)
> Linux users are WAY WAY more savvy than a windows user.
The fact that Linux desktop users run Compiz is not a reflection of their "savvy"; it is a reflection of the fact that they are time-rich.
As for folk who run servers -- there are plenty of very clueful admins running large and complex networks. They don't come from your local MCSE shop, but they do exist and are very smart indeed. So you might want to cut down on your juvenile "WAY WAY more savvy" cheerleading.
As it happens, the Unix approach of minimal hand-holding is probably good because it gets in an admin's way less, but this incident goes to show the limitations of Debian's security/volatile approach. The problem here seems to be that because 'volatile' isn't pulled by default, most users won't get this update.
This does NOT only affect those in NZ, anyone interested in the correct time in NZ could have this problem. Worse, many people outside NZ won't even know that they have to pull in this update. This results in the classic engineering snafu: the Debian developers are right, and they are wrong because their update logic missed the bigger picture of keeping the computer in sync with the physical environment it's embedded in. This happens rarely (the last big one I can think of is the introduction of the Euro symbol into character maps) but changing time zone definitions seems to be pretty common these days as legislators try them out as a quick-fix energy savings approach.
Here's hoping future Debian releases pull an 'operating-environment' line of updates by default, to deal with non-security-related operating environment issues.
Go somewhere random
But then the same thing would happen with computers that are legitimately in different time zones! Interfacing with the rest of the world in local time is a bug that updating TZ tables is not going to fix.
That's why I love it too. I really don't like the distributions where you get a big bunch of packages as a release, which you are then basically stuck with until the next release (at which point you have to upgrade and cross your fingers, or reinstall). Like Ubuntu, you get a whole ton of packages, and there are always a few that have a subtle bug. But since you're on one release, you don't get the fix until six months later (of course, you can install it separately, but it's a pain). With Debian, if an app is broken in some way, I get the fix as soon as that developer releases a new version, without affecting any other package.
And it's really not that complicated to use. Even things like nvidia drivers are just a m-a autoinstall nvidia away. Sometimes it takes a while, but eventually I find Debian makes things like that very simple and integrated.
Do you know how easy the timezone updates are for me on, say, Ubuntu?
Neither do I, because I didn't notice. At some point, it was just updated, without me having to think about it.
Debian is actually making this issue worse, by forcing people running stable to either update it themselves, or use the volatile repository, when it could have been as painless as throwing it in security updates. Then again, most people using stable should be using volatile anyway.
Don't thank God, thank a doctor!
Honestly you have no clue. Sally in accounting cant configure a Microsoft server let alone her own workstation, why the hell do you expect her to be able to install and configure linux? your expectations are incredibly silly.
Linux is an advanced server operating system, an advanced workstation operating system and a high end embedded OS. it is not a Os for the feeble minded, the apathetic that want their computer to be an appliance, or the undereducated. it is for professionals that know what they are doing.
You completely failed to understand what I was saying - it's not that the end user is expected to configure their environment (most don't even with Macs or Windows), it's the attitude of some parts of the Linux community that is a barrier to wider adoption; as you so amply demonstrate.
In order to adopt technology the decision maker needs to be convinced that it will meet their needs and work as required; and teh decision maker is often not a tech savvy person who will be swayed by properly presented FUD.
If you don't want broader acceptance of Linux that's fine; but there are people who would like to see that and whose efforts are impacted by decisions such as Debian's.
Honestly computers are complex, and any notions otherwise are completely silly.
So are TVs, cars, and many of the day to day appliances we take for granted. You are confusing the technology complexity with the user interface.
I'm a consultant - I convert gibberish into cash-flow.
...please take your troll elsewhere.
For teh love of Mike, get a clue PUHLEESE!!!!1111
Pigovian style taxes will help pay for medical care, social programs for the poor, sustainability projects; and cut down on uneconomic consumption. Your example shows exactly why pigovian taxes would work, assuming the gov't could be kept accountable(say, through mass sousveillance)
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
All of your reasons are why I installed Debian Etch on my mother's computer. Moved her from Win98 to Etch early in the summer. She has no issues, I do not get any calls about computer problems. She knows how to check for updates (Update Manager). She is very happy with the system. She does not do music or videos on this computer, she is a web and email person. Probably spends no more than 30 minutes on it a day, and not even seven days a week.
Debian, thank you for your policies and your ability to stick with them. Also, my mother and I thank you for your distribution.
How does Debian handle time-based logins, VPNS, etc that are restricted by security policy? Correlation: How does it handle the same when they rely on Local Time and not GMT?
For example: User A can only login to Server B between 8am and 8:15am, but can maintain the open link until 5pm. This was set up to restrict login access by User A for whatever reason to Server B, which is offshore. If the time zone data is not applied, won't this screw with the restricted login policy? I would think that would be a security issue as well as a use issue.
Another example: Remote backups, etc that rely on accurate local time settings to perform their operations on a tight time schedule. How would the timezone patch not being applied affect this?
I really don't know these things, as I don't use Debian (or Linux in general), which is why I am asking. Excuse my ignorance please.
My final question: Was the fact that this patch was released to the Volatile repo mentioned on the Debian website, or pushed via subscribed newsletter/RSS feed and not just some "obscure" newsgroup posting? If yes, then the Debian team has done all it needs to have done, and it was the end-user's problem for not paying attention to announcements. If nothing but a short newsgroup post was issued, then the Debian team is at fault for not doing a proper announcement (I know as a systems admin, I rarely have the time while on duty to go scouring newsgroups for update announcements).
Thanks for any insight you might provide.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
Simply put, a *Nix system should have the system clock set to GMT and synchronized to a time server
What does that have to do with anything? The system clock *is* set to GMT, and the CMOS clock doesn't matter because the CMOS clock doesn't implement daylight savings time changes at all... so it doesn't matter if the offset for the clock is DST or not, since the system has to adjust it by the offset it believes it was at when it shut down.
The actual problem is that the displayed time and the time used for periodically scheduled events, policy changes, and so on will still be based on local time, and local time will still be wrong whether the system clock is in DST, GMT, UT, sidereal time, Swatch Beeps, or based on decimal fractions of Martian Sols.
O frabjous day! Callooh! Callay!
Because the main debian servers aren't in China, so there no legal way to forbid them to have package with the word "Democracy" in their description.
But had Debian have been a chinese project, you can bet that there would be a "stable" everything democracy packages, and a "non-China" repository hosted somewhere in Europe with all tools pertaining to Great-FireWall-traversal.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Several security protocols mandate close time synchronization to minimize the risk of replay attacks, so failure to deploy this time zone change causes a denial of service. In particular Kerberos is impacted, and increasing the permissible time skew by a few orders of magnitude on every box in the domain, which not all implementations support, creates a substantial risk unless you're set up for ticket pre-authentication, which puts a greater load on the server, is not well supported by all clients, and is thus often not enabled. Admittedly, if you're using a network of Debian stable machines, you should be okay, but god forbid someone should use a Debian stable box in an Active Directory deployment.
Similar problems may exist for SSL (https, ldaps, imaps anyone?) but I'm not sure if a one hour difference would exceed the tolerance in many applications.
Disclaimer: I work for a commercial distributor.
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
Microsoft users on Automatic Updates rolled over without even knowing anything
That's the truth!
Selective quoting is fun.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
That's it's good feature...but also it's bad feature. I think possibly twice during each cycle of testing (say 0.5 times per year) an update will hose my system. (Well, I'm using testing. If I wanted stable, I'd choose stable.)
You can be pretty well guaranteed that the time this happens will be in one of the massive updates...like, say, when all of KDE is being upgraded. This happened to me most recently around a month ago, so the possibility is still fresh in my memory. That time the problem was that a package told me to choose autoremove...and my network access got autoremoved. Fortunately, I had a backup partition, and after a copy/update/avoid autoremove everything was working again. (Actually, by the time I had the update complete, the request for autoremove had been fixed...and it wasn't asking for that any more. Must have been just some VERY unfortunate timing on my part.)
As a result, I don't recommend anything BUT stable to people unless they really know what they're doing. (And I don't know enough about the stable packages to know all of the repositories that I ought to recommend. All I really know about is security...I hadn't even heard of volatile, but then I always run testing.)
I think we've pushed this "anyone can grow up to be president" thing too far.
You're misunderstanding. Go to the Debian volatile page to understand the whole picture. In a nutshell, though, when the OP said "keep them functional" (which was a direct quote from the provided link) he did not mean "prevent them from crashing or spamming you with errors or whatever". He meant that there are some packages (like spam filters, for example) that are volatile in the sense that they are constantly changing and by definition incapable of being useful if the version you're running is from 3 years ago. Running a spam filter from 2003 isn't going to be very useful because spammers have shifted tactics. It's not that you can't run that program, or that it's broken — just that it's not functional.
People on Slashdot who always want the latest and the greatest on their desktop often don't understand the impetus behind Debian stable, and lampoon its slow upgrade cycle. But as anyone who has done real admin work will tell you, once you get a working system running, you really want to touch it as little as possible, because updates and upgrades often break things. So most admins stick to security updates and that's that. The truth is, the version of GNU ls from 1994 lists directory contents just as well as the bleeding edge CVS version — there's no good reason to risk screwing up your setup for something so trivial.
But, as people have often noted, other than security issues, there are some packages that simply need updates more frequently than the Debian stable release cycle can accommodate, and so the volatile repository was born. Previously, the Debian devs had to prioritize certain updates (like say, a New Zealand DST time zone update that affects only people on a little island in the south pacific) and push them out as security updates. This was bad because they aren't security updates — no matter how you think about it, a vulnerability in Apache and an update to your spam filter or to the New Zealand timezone data are not in the same league, and serious system administrators appreciate being able to get updates for the former while foregoing the latter.
Debian volatile was expressly designed to deal with exactly this sort of package. The people complaining apparently did not realize that, well, these days, only security updates go into security, and other pressing changes affecting packages in stable go into volatile.
In other words, they didn't understand how Debian works, expected them to do it one way, and were surprised when they didn't — even though if you think about it for two seconds you'll realize that Debian's way is the right way and their's was the god-cursed-stupid way.
Keep your spam filter and timezone updates out of my security updates. I don't want production level systems to get an update unless they need it for security reasons. I know I can trust Debian not to mess with me and that's why they're the only serious Linux distribution out there, in my opinion.
I think the patch is in Debian volatile repository, which is Debian's policy to put there any software updates that aren't security bugs but are needed to keep the system working properly. A Debian GNU/Linux user/sysadmin (I am one incidentally) should know about volatile (if not it means that either there is insufficient documentation or the user/sysadmin didn't RTFM). Comparing Debian with Microsoft is wrong, because Microsoft Windows Update is used to update a variety of issues with Windows, not just security bugs. But Debian is usually only focusing on security updates after a stable release is made, it is their policy (whether it's good or bad is another story). The volatile repository was made for non-security important updates, which I think fits nicely with a timezone update. It is important to realise that new Debian users/sysadmins must learn the apt system pretty well, as it is fundamental in managing a Debian system. Debian just follows its own policies here, while still allowing users/sysadmins to get the patch through volatile (and I think also backports), and why this hit Slashdot I really don't know. Of course, this update should be included in the next point release (ie 4.0r2), and perhaps a higher number of volunteers would be helpful here. Are any of you willing to actually help Debian include important bugfixes and updates in next point releases rather than losing your time discussing about non-issues?
Linguistics 101: grammar rules are hypotheses, and you're supposed to defend or attack them by appeal to usage data. You, on the other hand, are treating grammar rules as edicts from high, and are appealing to an edict of yours to argue against usage data.
Are you adequate?
You are free to ignore the people who tell you to RTFM and instead listen to those who will help you out.
The "volatile" repository is for additions to Stable that need to change frequently. I believe the catalyst for creating volatile was for ClamAV updates. ClamAV changes on a regular basis to keep up with threats, and by adding volatile to your repository list you can keep the ClamAV engine and its data file at the latest version without sacrificing Stable.
Seems like a pretty good solution for timezone changes...
FTR, actually that's not the case. Someone else who stumbled onto the problem near the last minute doesn't like the fact that it didn't go into the main repository or security repository. I -- the person who filed the original bug -- am perfectly happy with the fix going into the volatile archive, and patched the servers I manage months ago. (I think it's rather unfortunate it missed the 4.0r1 point release, and unfortunate (but understandable) that there's no patch for Debian Sarge ("oldstable"), but otherwise the situation seems to have been handled fine. For Debian Sarge it works okay to take the NZ or Pacific/Auckland timezone file from a patched Etch system and put it onto the Sarge system.)
Ewen
The tzdata package needs to be at least version 2007f. So, if you think about it, this has already happened at least 6 times this year, somewhere in the world.
Personally I prefer to blame it on stupid politicians who want to push things like this through in under 6 months to give the voters the impression that they are capable of getting stuff done.
For an explanation of volatile (and volatile-sloppy) see this:
Desktop System Setup with Debian GNU/Linux 4.0 'Etch' - Package Repositories, Updates & Upgrades
http://thegoldenear.org/toolbox/unices/desktop-system-setup-debian-etch.html#repositories
Hey, check this out! Somebody made a lot of sense. Four paragraphs worth!
Thanks, BLKDEATH
My wife told me that her Windows PC hadn't updated for daylight savings time. With great smugness and confidence I told her that my Linux box would have done it because it was community based software and was therefore superior in every way. I sure felt like a dork when my linux box still had the wrong time on it. And she pinched and punched me for the first of the month again. Damn Debian politics. Red tape is there to be cut through.
When I first heard about it, I mistakenly assumed volatile == unstable...
No, the volatile repository is exactly what this is for -
packages that need constant adjustment and update to work as advertised.
I just learned about the volatile repository and it's the perfect solution, but
sadly I, and I'm sure others, were unaware that this existed until now.
I wish some of this stuff was advertised a little more rather than buried
in the documentation, but I'm glad I know now.
Funny as hell to see the complaints about this, since generally linux fanboys are all about the "do it yourself" lol
Computer 1, Human 0.
Are you adequate?
... maybe not, but Apple is:
New Zealand Mac users missing DST patch
Apple has yet to issue a patch adjusting to a change in New Zealand's seasonal times, Mac users from the country complain.
http://www.macnn.com/articles/07/09/28/new.zealand.dst.problems/
Notice that from what you just told me, if you hadn't told me anything else, I wouldn't know that changes to timezone files would be pushed through volatile. First, I'd have to know about the existence of the fricking edge case of a timezone definition file changing; second, I'd have to remember the damn thing; and third, even if I did those two things, I wouldn't be able to infer that timezone file changes are handled through volatile.
Are you adequate?
An AC with a low IQ asks:
Did you have anything to add to this discussion other than making snide remarks to cover your envy of Microsoft's better working practice, and linking to someone else's entry?
No. By selectively quoting the GP I completely changed the meaning of what he said from "M$ is teh best and did not have this problem" to "M$ users are suckers". Then I linked to someone else who shows mail threat posts saying that this is not a problem for Debian users who are subscribed to the "voletile" lists for updates. It's funny, you are supposed to laugh.
No, I don't have any envy of M$'s practice and you could not pay me to run their shit for anything where time was important. Windows does not understand GMT and use local time, which forces all applications to compute GMT and that forces errors. Their time and date functions are so rudimentary that vendors have to make their own. M$ users had a huge pain in the ass when the US decided to change daylight savings time, older versions were ignored and never recovered. Y2K was a major issue for their machines. Applications, such as Excel have functions that return wrong and contradictory answers. The list of M$ time and date cockups so long and so extensive that I have my doubts they did anything right in New Zealand. There's more than cost reasons that GPS device makers have turned to GNU/Linux.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Tzdata isn't the only affected package.
PHP keeps its time zone information internally, and of course there isn't a debian update for it so you may need to recompile with a new timezonedb.h
So if you have a web server, get cracking!
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
You're right and everyone is up in arms about it. I've never seen people get so riled up about software like that, so I'll just take your word for it. I mean, who would use something with a minor error for people in New Zealand who don't apply an easy fix? That just ruins it for me.
New Zealand is out of compliance in this case. There is absolutely no justification for changing time zone data frequently.
Correct me if I am wrong, but the only way to update packages in default Debian install is through http://security.debian.org/ (or when the distro itself is updated). Therefore, the mentioned fix should have come into http://security.debian.org./ And Debian should make sure that its next release includes 'volatile' repository by default as well. Thinking that every user and admin will have to edit /etc/apt/sources.list themselves is pure nonsense! This stubborness of Debian team will cost them. With such attitude, it is not going to be long until Debian is completely abandoned and forgotten, and will only be used by a small bunch of engineers that pretend to be politicians.
Wake up, Debian! You lost your voice when your weekly news letter started to come out once a month, when your users turned to Ubuntu for new software, fun & ease of use, and you yourself got into the fingerpointing blame game. Lose your arrogance and start responding to your users and you will still have a chance!
I just sit all my Debian serves outside with a sun dial strapped to them while I write a script to alert me in Standard Mean Venutian time so I can lament not having a girlfriend exactly every 11 parsecs and oh fuck I can't even be bothered making fun of this anymore.
*sigh*
This is a good example of why Ubuntu was necessary.
Paul Beardsell
Is it even possible (given DST rules) to be over 24 different from anywhere else on the earth?
Incorrect time is a security problem. And by default Debian logs are in localtime not UTC. Incorrect log timestamps are a security issue.
meridian at tha.net
I haven't misunderstood. (I'm the AC you were replying to.) I think:
* timezone data actually reflecting the correct time,
* spam filters actually catching spam,
* virus scanners actually catching viruses
etc. is just as important as not crashing, the programs are useless if they don't do their job, even if they don't crash while failing to perform.
And the main issue here is not that volatile exists, it's that:
* it's apparently not turned on by default (or we wouldn't have these complaints). One issue may be that for upgrades, nothing tells users to add volatile (or does it?).
* it wasn't announced well enough, or we wouldn't have this many confused users.
RHEL is all about stability, yet they pushed the tzdata 2007f update. It was marked as an enhancement, so people wanting only security fixes or even only bugfixes in general don't have to install it (RHN has some filtering support AFAIK), but it isn't hidden in some repo many people don't even know exists.
Now personally I want more updates than what Debian or RHEL (or CentOS, Scientific Linux etc. which are just rebuilds of RHEL) provide, so I'm running Fedora. Works great for me. And our tzdata is at 2007g already.
You mean that repo that absolutely nobody knows about?
Until now.
The one that isn't included in any distro's sources.list?
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
Nice troll though.
Me looks at company's report of global systems.
Big chunk in pie chart says Linux.
Me looks at company's list of approved OSes. Yep, Linux is there.
So at least one Fortune100 company uses Linux, I am sure others do.
How much more fucking mainstream does Linux need to become?
IANAL but write like a drunk one.
Debian already had a policy to deal with this, and you can read about it here. debian-installer even gives you the option to include volatile in sources.list.
Cheers!
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
if you were part of it. Astroturfing isn't IT.
I am a Debian user who gets my tzdata updates whenever they came out. I don't have to touch the command line to get the time right because my system isn't misconfigured, unlike the original complainer.
Checked the time on your computer lately?
Tech Public Policy stuff
It seems like an exception can or should be made for this even if it is not how the Debian people define a "security bug." Having guidelines and rules are fine and necessary for maintaining order, but I have to wonder if they need to be followed in such a slavish way, as if they're part of some kind of religious canon.
This doesn't affect me at all, but it seems like something called "stable" in any sense of the word ought to be able to tell time properly out of the box. That the Debian guidelines or rules or whatever don't allow for the direct incorporation of this bug into the stable repository seems secondary to the fact that it ought to be. That this patch is available in volatile is kind of beside the point. Someone downloading and installing this anew in that NZ timezone is going to have problems.
I suppose someone could make some kind of case about regression testing and so on, but I have a hard time believing a simple time zone update will bring Debian's reputation for curmudgeonly stability crashing down.
you set up your /. account. It's obvious that your handle should be n00b432.
I'm a Debian end user who gets tzdata updates whenever they come out, because unlike the complainer, my system is not misconfigured for updates.
Tech Public Policy stuff
that doesn't need customizing?
While Debian should have a more complete sources.list (they can always comment out the ones that might be risky for n00bs), once one adds one to the list, it works stably, reliably, and predictably.
However, having to add the PGP key is a PITA, that part of the process should be automated. (i.e. once there's a new sources.list entry, apt should find and install the key from the PGP server network without user intervention)
Tech Public Policy stuff
All log files are going to be off by an hour. How is that not security?
What happens between the logs that were taken just before the new DST and just after? What if there's an overlap (because the time is run an hour earlier)? What about when DST is applied/removed? You have either the same hour twice or no such hour. If you're looking for what happened between two dates/times, why should you have it work out whether there is daylight saving coming into play?
"Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment.
It's been 36 minutes since you last successfully posted a comment"
Crazy mods... see sibling post for why GMT-13 is right.
> Sure, and if you want to put up with the possibility that, eg, trying to use tab-completion will cause your shell to dump core then, by all means, use testing.
Never happened to me.
Personally, I find that Debian testing is more stable than the other distros' supposedly stable versions. Except Ubuntu, maybe, but they build on Debian.
In an ideal world would Tux go chimney-to-chimney world round in a single clockcycle and force all linux users to update tzdata at gunpoint?
Sure. This is not an ideal world.
In this non-ideal world the updated version of tzdata was added to etch-volatile at the end of July. That's a full two months anyone who needed it could've done extensive research about how to get it. http://packages.qa.debian.org/t/tzdata/news/20070731T155541Z.html
If you're a single debian etch user in NZ then simply install the update manually. Takes what, half a minute at best?
If you're admin of a lot of etch systems you should either put volatile in your repository list or (I like this better) set up a local repository on your own network so that you can roll out exactly the packages and versions you want.
And for the sake of anyone who does need this package and is patiently waiting. Stop waiting.
http://packages.debian.org/etch-volatile/tzdata/all/download
It's right there.
-HobophobE
Nothing laughs forever.
Debian is around 250 million lines of code, and has support for 11 architectures. There are about 1,000 developers working on the project. It is one of the largest sofware projects ever. The only reason they are able to continue to move forward, and not collapse under their own weight, is because they have a well thought out policy and they adhere to it. So no, they should not "just make an exception", especially in this case where there is an easy and straightforward way for people to get the fix as is without having to break policy.