Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Debian Struggling With Security

Zonk posted more than 9 years ago | from the invaders-at-the-gates dept.

Debian 264

Masq666 wrote to mention a ZDNet article discussing difficulties Debian is having with security updates. From the article: "...Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems."

Sorry! There are no comments related to the filter you selected.

It seems as if (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12989046)

NO ONE CARES, you fucking fail it Zonk

1992 Called... (1)

1992 Called (893858) | more than 9 years ago | (#12989056)

You were right!

Re:It seems as if (0)

Anonymous Coward | more than 9 years ago | (#12989377)

Is anyone surprised that this worthless article became just a huge troll-fest?

I ditched debian over the weekend (-1, Troll)

winkydink (650484) | more than 9 years ago | (#12989052)

and switched to CentOS (RHEL clone). I was burned one too many times by applying an update that hosed a running configuration. I didn't have that problem back before I switched from RH 7.x some time ago. I hope the CentOS folks have as good a record as the RH of old.

Re:I ditched debian over the weekend (1)

heauxmeaux (869966) | more than 9 years ago | (#12989097)

"I'd rather be a lightning rod than a seismometer." -Ken Kesey

Either way, he's still a tool.

Re:I ditched debian over the weekend (2, Interesting)

Zemplar (764598) | more than 9 years ago | (#12989114)

Switch to Solaris 10. Even in the very unlikley event you hose your system, just reboot from your last "live upgrade" partition and your back into production.

Re:I ditched debian over the weekend (1)

winkydink (650484) | more than 9 years ago | (#12989135)

I'm sure the learning curve of swithing from linux to Solaris is a bit steeper than one linuz variant to another, though may be mistaken. Also, this system is a dual P3-600. How's Solaris 10 run on 5-yr old hw?

Re:I ditched debian over the weekend (0)

Anonymous Coward | more than 9 years ago | (#12989148)

Solaris runs great on old hardware, though it eats more ram than linux, it is just as fast if you have enough (quite a bit faster for most i/o intensive stuff like servers).

Re:I ditched debian over the weekend (1)

Linker3000 (626634) | more than 9 years ago | (#12989167)

Darn, that even beats my Dual PIII-450 running CentOS3 (going to CentOS4 tomorrow)

that's because it's Linux (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12989053)

an inherently insecure operating system.

Compare OpenBSD and any Linux you can think of. 'Nuff said.

Hello! (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12989058)

VAGINA!

Solution is obvious, move to Windows (5, Funny)

VisualVoice (592060) | more than 9 years ago | (#12989059)

They have a huge team focusing on security.

Re:Solution is obvious, move to Windows (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12989168)

Good point.

Re:Solution is obvious, move to Windows (0)

nxvl (889880) | more than 9 years ago | (#12989216)

thats why he has so many virus

Close: Switch to OS X (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12989417)

1. More secure than Linux
2. Faster than Linux
3. More advanced than Linux
4. Easier to use than Linux
5. Backed by a successful company
6. Programmed by professional coders, not amateurs
7. Not "open source" like Linux, so it is more secure and better able to deal with hackers.
7. Apple actually owns the code to OS X. Most Linux code was stolen from SCO and Sun.

The list goes on.

Think different. Think better. Think Apple.

Pick any two (5, Insightful)

mcrbids (148650) | more than 9 years ago | (#12989063)

Secure, Convenient, Cheap.

Pick any two.

(General rule, but it does generally follow)

Re:Pick any two (1)

Bluesy21 (840772) | more than 9 years ago | (#12989093)

Unless you're MS and then you only pick one....I'll leave it up to you to guess on which one ;)

Re:Pick any two (4, Funny)

diamondsw (685967) | more than 9 years ago | (#12989248)

Or pick Windows and get none!

Re:Pick any two (0)

Anonymous Coward | more than 9 years ago | (#12989439)

Actually, Windows will get you Convienient and Cheap. Not Secure.

Convienent because you dont have to use the command line hardly ever.

ahem (0)

Anonymous Coward | more than 9 years ago | (#12989280)

Faster, better, cheaper
(general rules generally generally follow)

Re:Pick any two (1)

hunterx11 (778171) | more than 9 years ago | (#12989291)

I thought it was secure, fast, cheap. And I thought I knew which two Debian had picked :)

Re:Pick any two (4, Interesting)

HawkingMattress (588824) | more than 9 years ago | (#12989339)

Yep but it doesn't apply here. Debian can be secure, convenient and cheap. It could probably be more secure and less convenient but still it is generally a very secure distro... and it's certainly cheap and convenient too
The problem is not that you can't mix those three in debian particular setting, it's that the debian team seems to serverely lack redundancy. Read: one person has obligations somewhere else and the whole stable security updates process hangs !
I really hope that Debian is going to make something about it fast, and in a definitive way. I don't want to run something else than debian, really. But this is really embarassing, especially if you have production servers running sarge. And this situation ain't new, Slashdot was very slow to catch it but i read about it last week. Things haven't moved a lot since (well 1 security update was released, but some major exploits have been found in iirc at least two other packages, and nothing coming yet... Other distros had everything fixed by the end of last month)

I think Debian should clarify the issue, and call for help if it's necessary. And maybe simplify the whole debian democratic process if as it seems from the outside every decision has to go through days and days of pointless discussion.

Re:Pick any two (2, Interesting)

GNUALMAFUERTE (697061) | more than 9 years ago | (#12989394)

Slackware is secure.
Slackware is convenient (I Know that many will say otherwise, but if you have Unix experience, it's the best solution, really easy to manage)-
It's cheap, it doesn't contain any proprietary software.

Also, Debian can be as safe as Slackware, the problem with this kind of Distro (Debian) is that the people using it pretends that someone else takes care of their security. A Sysadmin doesn't need some stupid organization to submit patches to him automatically or anything like that. He just has to download and compile all of the critical services of his system, and update them when necesary. Anyone that says otherwise is an Amateur, not a Sysadmin, and if he's an amateur, he shoudln't be running any system bigger than he can manage, and he shoudln't run any critical services, and for the kind of things that an amateur should host the kind of security provided by allmost any Unix system is more than enough. The problem with all this shit is that there are lots of amateurs out there calling themselves sysadmins ...

Re:Pick any two (1)

jguthrie (57467) | more than 9 years ago | (#12989454)

How do you determine which version of a given program is installed on a Slackware system?

Re:Pick any two (1)

GNUALMAFUERTE (697061) | more than 9 years ago | (#12989529)

First of all, a sysadmin *must* know exactly what he has in his system, but, if you need to know, 99.99% of Unix software has a --version option ...

Re:Pick any two (0, Flamebait)

Approaching.sanity (889047) | more than 9 years ago | (#12989459)

Try Ubuntu.

The most secure option (-1, Offtopic)

Bananatree3 (872975) | more than 9 years ago | (#12989064)

is simply to turn the computer off.

but if that is not possible, why not fly to the middle of the sahara with a laptop, solar panel and gear, and just do your buisness there. No worry about hackers, or physical attacks. :)

Re:The most secure option (1)

plasticsquirrel (637166) | more than 9 years ago | (#12989223)

but if that is not possible, why not fly to the middle of the sahara with a laptop, solar panel and gear, and just do your buisness there. No worry about hackers, or physical attacks.

How is this even relevant to an article about the difficulties the Debian people are having with their security approach? Not only is what you suggest off-topic, but it is ridiculous. Most companies are interested in still having useful computers while keeping a sane security model.

Personally, I have noticed that as distributions get larger, they also get harder to maintain and more difficult to change, as more people are required for the basic maintenance of the software. On the other hand, more compact Linux/BSD distributions are often known for their security and stability (OpenBSD, Slackware, NetBSD). I hope that the Debian people can get the distro back on track and manageable again.

Re:The most secure option (2, Funny)

Metteyya (790458) | more than 9 years ago | (#12989271)

Actually, being American on Sahara (and whole muslim-dominated north Africa) makes you pretty prone to physical attacks :).

simple solution (5, Funny)

Geekboy(Wizard) (87906) | more than 9 years ago | (#12989073)

$ apt-get update security-officer

Problem Solved.

(Its funny. Laugh.)

Re:simple solution (2, Funny)

goofyheadedpunk (807517) | more than 9 years ago | (#12989085)

If you actually have to tell us it's funny, is it really?

Re:simple solution (0, Redundant)

nick-less (307628) | more than 9 years ago | (#12989105)

If you actually have to tell us it's funny, is it really?

You must be new here...

Re:simple solution (1)

Gogo0 (877020) | more than 9 years ago | (#12989116)

You KNOW that someone out there tried it...


me

Re:simple solution (1)

montreal!hahahahah (880120) | more than 9 years ago | (#12989124)

Speaking of unfunny....

"What if the entire Universe were a chrooted environment with everything symlinked from the host? "

Re:simple solution (2, Funny)

Anonymous Coward | more than 9 years ago | (#12989265)

That was so stupid I unlaughed and sucked the happiness from the room.

Re:simple solution (1)

cortana (588495) | more than 9 years ago | (#12989150)

It would be "apt-get install security-office" anyway.

Re:simple solution (1)

Azrel666 (842460) | more than 9 years ago | (#12989175)

Surely, if it's lack of manpower, then; $ apt-build security-officer =)

there was no effective tracking of security probl (2, Funny)

frovingslosh (582462) | more than 9 years ago | (#12989076)

there was no effective tracking of security problems

Now that this has been published on /. it will have to be revised to "no effective tracking of security problems by the good guys".

How the mighty have fallen... (3, Insightful)

Gorath99 (746654) | more than 9 years ago | (#12989084)

Disturbing to see how the distro that was always renowned for its reliability is now having such troubles.

I wish the debian team all the luck in the world in fixing this matter. They're in a difficult position now that they're both lagging behind (though much less so than a while back) and cannot claim unparalleled reliability.

Re:How the mighty have fallen... (3, Insightful)

Ingolfke (515826) | more than 9 years ago | (#12989236)

I wish the debian team all the luck

I think this is probably part of the problem... too many people are wishing them luck and not enough people are actually doing anything to address the problem.

Re:How the mighty have fallen... (1)

arivanov (12034) | more than 9 years ago | (#12989240)

First, there is a policy problem here. If a security update is not available due to lack of build systems for a specific architecture (ARM), well so be it. It should not hold the updates for all remaining architectures the way it does now.

And if someone wants to see security updates for this specific architecture (ARM) they might as well donate. The only ARM motherboards useable for a build system are the developer toolkits and these cost money.

Just get SuSE, it works great and is secure. (0)

Anonymous Coward | more than 9 years ago | (#12989327)

I played around with just about every distro on the planet, and finally switched to SuSE. Because I want to *use* my Linux computer, not constantly have to dork around with it. SuSE's security is rock solid too, and with Yast Online Updates it retrieves and applies all the latest security patches as effortlessly as Windows Update on an XP box.

Now If This Was Microsoft... (3, Insightful)

Anonymous Coward | more than 9 years ago | (#12989086)

The tone of the story would be laden with arrogance and derision towards the "Borg", painfully unfunny and unoriginal jokes would follow, and everyone would point to Apple and Linux as the greatest and secure OSes on the planet.

But since it's not Microsoft, it's a fairly sober writeup, and Microsoft jokes would just follow a little bit later.

Funny how things work here at slashdot. no i'm not new here. I'd just figure some people would grow up sooner or later.

Re:Now If This Was Microsoft... (0)

Anonymous Coward | more than 9 years ago | (#12989119)

God, I hope you get modded up for this. It needs to be seen.

Re:Now If This Was Microsoft... (1)

leecn (828236) | more than 9 years ago | (#12989211)

Dont be such a whinger

Debian is way more secure than windows, how long do you think it would take the average debian box (connected to the net and unfirewalled) to get owned?

I like your style though, posting as AC while claiming not to be new.

Re:Now If This Was Microsoft... (1)

Pooh22 (145970) | more than 9 years ago | (#12989279)

The thing you're not taking into account is that Debian's security team, while having a professional attitude, are volunteers. Microsoft has more money than it can spend (legally), so has no excuse in terms of "lack of manpower", unless they don't exist on the planet.

Come to think of it, perhaps they're all working at Microsoft? Or maybe Microsoft could help out the Debian guys by funding some FTEs for Debian's security team, since it will help secure the Internet (which runs for a large part on Debian systems anyway ;-)

Cheers

Simon

Re:Now If This Was Microsoft... (1)

The Bungi (221687) | more than 9 years ago | (#12989506)

The thing you're not taking into account is that Debian's security team, while having a professional attitude, are volunteers. Microsoft has more money than it can spend (legally), so has no excuse in terms of "lack of manpower", unless they don't exist on the planet.

Interesting. So given enough money, security problems with Microsoft product must be ascribed to... Laziness? Stupidity? Malice? Incompetence?

The counterpoint of this being of course that since "given enough eyeballs all bugs are shallow" we must ascribe security problems in Debian to... Laziness? Stupidity? Malice? Incompetence?

Or maybe it doesn't really matter, does it? Or do you think that throwing money|volunteers at a problem will fix it?

BTW, you are hereby given notice about using the "but they're volunteers" excuse. Linux is supposed to be an enterprise-class secure, stable operating system regardless of whether it's being sold, given away or traded for cheezy knobs. Or so I've heard around here.

Re:Now If This Was Microsoft... (3, Insightful)

Brandybuck (704397) | more than 9 years ago | (#12989292)

I'd just figure some people would grow up sooner or later.

Oh we do indeed grow up. Unfortunately Slashdot has an unending supply of new posters straight out of kindergarten who have no problems at all firmly believing in the rightness of double standards and the logic of conflicting axioms.

Re:Now If This Was Microsoft... (1, Interesting)

Anonymous Coward | more than 9 years ago | (#12989317)

This is slashdot, news for nerds who have a psychological need to identify with the underdog in every situation.

Seriously, I think it's the result of being the outcast for most of one's childhood. By believing that the outsiders Linux/Apple are the best, they elevate themselves by proxy.

Debian says ./ quotes suck (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12989091)

"It would save me a lot of time if you just gave up and went mad now." - these are lame quotes. Before ./ was sold the quotes were awesome.

Fent is a Whore! (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12989112)

I truly enjoy my new life as a whore. My husband CmdrTaco has a collection of
over 150 tapes of me with other men. He has sold copies of several of them.
There's a couple of tapes that get the most requests and they are also the ones
of the times I enjoyed best. One of the most popular tapes was made when I was
gang fucked by six men. One of Cowboy Kneal's friends was supposed to come over to
the house to fuck me. He showed up with four other men, all black, and they
asked if they could all be taken that night! I told my husband that there was
no way I could fuck six, big, black men all in one night! CmdrTaco told the men
that I would only take two of them but the rest could watch and make an
appointment for some other time. The men agreed and cut a deck of cards to
settle who would screw me and who would watch.

The two men who won the draw for for me paid my husband $200, each, and
seemed very anxious to get started. They flipped a coin to see who would fuck
me first. Cliff, a tall, heavy man, won the coin toss. I told him we could
go to the bedroom and get started. I was wearing only my bra and panties and
asked Cliff if he wanted to undress me or if he wanted me to strip for him.
He didn't say a word when he came up to me and put his large hands on my bra
covered tits. He squeezed my jugs for a few moments before unclasping my bra
and pulling it off. After feeling my boobs and flicking the nipples with his
index finger, he stripped naked. I looked down at the black man's stiff cock.
It was large, like other black men's that I've fucked and it was as black as
night.

Cliff's hands went back to my tits. I held his cock with one hand and
smoothed my fingers over the large cockhead with the other. He kissed me
intensely for the next few minutes and then said, "Yeah, let's get to it baby!"
The other five men standing around (six including my husband who was taping
us), watched in silence while I peeled my panties off. I stood naked in front
of everyone and said, "I can't wait to get that fat black cock in my pussy!" I
started to get in bed when Cliff stopped me with, "Let's do it on the floor,
baby. I can fuck a lot better down on the floor."

I winked at the tall, black man and said, "You going to fuck me from
behind, with your big black cock, Cliff?" He stared at my naked cunt,
answering, "Yeah, baby! In back of your white ass! I'm ready to slide this
black snake into that big white pussy of yours.!" I kept my eyes trained on
Cliff's buddies as I kneeled on the floor and then went down on my forearms.
My cunt was easily accessible from behind my ass and I knew all who were
watching had a clear view of it. My tits hung to the floor, tickled by the
shag carpet. When Cliff kneeled behind me, I asked, "Oh, Cliff, honey? Lick
my pussy a little before you fuck me. Please, please lick my cunt, Cliff!" He
lowered his head under my ass and I felt his tongue slide along the parting of
my cunt lips. I arched my back to raise my ass even higher. Cliff's probing
tongue managed to part my pussy lips and penetrate into my musky fuck hole. He
went back to his kneeling position and I heard the other men saying "Man! Look
at that pussy!" and "It's so big and fucking wet, man!" and "Yeah! She's ready
for fuckin' OK!"

When the black man's cockhead pressed at the opening to my cunt I peered
over to the men watching and said, "Ooo! Yeah! He's gonna' fuck me now! With
his big, black cock, he's gonna fuck my wet cunt, now! I love being watched
while I get fucked!" Cliff gripped my ass and slid his hard dick into my
waiting cunt. I moaned the entire time he fucked me! The angle that he had to
my cunt, caused the top side of his long meat to glide along the parted cheeks
of my ass. I could feel his cunt juice coated cock slipping along my asshole
as he drove his dick up my twat.

Soon, Cliff was fucking me for all he was worth. In and out, in and out,
in and out, at a steady pace. When he came, he pulled my ass tight against
his abdomen and pumped loads of white hot sperm into me. I had already had
several orgasms and screamed with a fantastic climax of my own. After the black
man removed his cock, I rolled over onto my back and panted, "Ummmm!, Oooo!
Yes, Cliff, yes. You fucked me so good, Cliff!" The guy who Cliff had lost
the coin toss to, was already taking his clothes off and said, "Yeah! My turn
now! I'm gonna' get me some of that sloppy white cunt! She's gonna go out of
her fuckin' mind when I get through fuckin' her!"

The second man's name was Hemos and he couldn't wait for me to clean Cliff's
cum out of my cunt. Hemos was a rather fat black man. His dick didn't seem
quite as long as Cliff's but it was bigger around, like a coke bottle! He got
between my open legs, held my ankles up and apart, and worked his fat meat
into my just fucked cunt. I didn't even have time to catch my breath from
Cliff's screwing when Hemos started humping into me! He fucked me for several
minutes before spewing his hot semen in me, to mix with what Cliff had
deposited. I had several more intense climaxes while Hemos's cock twitched in my
hole.

Well, I had been totally fucked by too big, black studs with enormous black
cocks. I was ready for a shower and a drink, but as I stood up I saw the other
four black men, who had watched Cliff and Hemos fuck me, taking off their
clothes! I said, "What are you guys doing!? I told you I wasn't going to
screw more than two of you tonight!" One of the men looked at my husband and
said, "I just can't wait, man! Watching your old lady fuckin' Cliff and Hemos
here, I got to fuck that pussy now!" Another big man said, "Yeah, I'm fucking
that cunt next!" Still another said, "No way, man! She's gettin' my old black
bone next!"

CmdrTaco knew that he couldn't control the men and what they were about to do
so he said, "Look, guys, let's make a deal, here. My wife will take the four
of you at the same time and it'll be for the price of one. How 'bout it?" All
four men, still staring at my naked body, nodded and moved toward me. It was
awesome, watching the four straight, black cocks coming at me! I knew I had to
take some kind of control so I said, "Ok. Ok! Three of you sit on the edge of
the bed, next to each other. The other get behind me. I kneeled down between
the legs of the man in the middle, his huge black hardon throbbing in front of
my mouth. I took the cock's of the men on either side of him in my hands. I
felt the man behind me rubbing my ass, smearing all the cum that had leaked
from my cunt.

I looked at the three men on my bed and turned to look at the one feeling
my ass. I said, "OK, let's go!" I began jacking off the dicks I was holding
and lowered my mouth over the cock pointing in my face. As I deep throated the
cock in my mouth, and jerked on the hardons in my hands, I felt a finger slide
up my pussy. I tilted my ass to make it more vulnerable and the finger started
fucking in and out of my cunt. I was gasping for air through my flaring
nostrils and moaning on the meat in my throat! Then the finger in my cunt hole
slipped out and wiped up my ass crack. I felt it push at asshole and then slip
into it! I continued to suck on the one guy's cock and jack off the other two
while being finger fucked in the ass.

I was getting into steady cock sucking and dick stroking when the finger in
my ass pulled out. I moaned painfully for the man to continue fingering my
asshole. I was going crazy with an approaching orgasm and needed more
stimulation at my ass and cunt. Then I felt two hands on my but cheeks and the
man's big black cock poised at my asshole. He was going to fuck my ass and
there wasn't anything I could do! The man I was sucking off, was holding my
head and the men I was beating off, had my tits clenched in their hands.

The large, black hardon pushed at my brown hole and the head squeezed into
my ass. I shook with a tremendous climax and heard the man behind me say, "Oh,
yeah! This smooth, white ass is so hot on my black dick! You like it in the
ass don't you, lady?! Yeah! You like it!" I tried to scream on the cock
filling my mouth but only managed a ,"Eeeeeee!" The big shaft pushed further
up my ass and it didn't stop entering until I felt the man's large balls
against my cunt. I began to loose my concentration on the three other cocks
but forced myself to continue bobbing my head and pumping my wrists.

The man in my ass started fucking in and out of it while digging his
fingers into my fleshy ass cheeks. I felt all the cum that had been dumped in
my cunt, squeeze out of me and flow down my inner thigh. I'd never been ass
fucked like that before! The strong, black man was slamming his hot fuck stick
into my ass until his balls smacked against my cunt! The man I was cocksucking
jolted and shot a stream of sperm down my throat. Before I could swallow it
all, I gaged and half of the thick hot spunk came running out of my nose. I
pulled off the squirting dick, choking and gasping for air. More hot jism
splattered onto my face and neck. I was having another electrifying orgasm and
pushed back to meet the cock thrusts into my ass. When I looked and the two
men I was jacking off, my face covered with cum, I squeezed their hardons and
jerked as fast as I could. Both men fired their loads in the air. Some of the
blasts landed in my hair, some on my arms, and some down on my legs. I
released the cocks from my grip put my hands on the floor. I heard the man in
my ass grunt and then yell, "Here it comes, lady! Yeah! I'm gonna' come in you
ass, bitch!" I felt his hot sperm jet into my bowels and it just kept coming
and coming! When he finally pulled out of me I laid on the carpet and panted.
My husband was still taping me and said, "Shit, Jeana! You've never been
fucked like that before! This is the best tape we've made yet!" I was covered
with the black men's cum and had it in my cunt and ass too! I'll never forget
that experience! Never!

Re:Fent is a Whore! (1)

Asshat Canada (804093) | more than 9 years ago | (#12989152)

If this is true it has really offended me. I feel bad for Mr. Taco.

Boring jobs (3, Insightful)

ignorant_coward (883188) | more than 9 years ago | (#12989113)


It isn't any suprise that the boring and the mundane tasks fall short in manpower.

This is why there needs to be more commercial involvement in FOSS, so that people who just want a day job and a paycheck can do these sorts of things.

Re:Boring jobs (0)

Anonymous Coward | more than 9 years ago | (#12989131)

Okay, please tell me how you pay for these people who need a paycheck.

Debian doesn't exactly have a profit generation model.

Re:Boring jobs (0)

Anonymous Coward | more than 9 years ago | (#12989227)

That's your problem. You wanted open source, now you've got it.

Re:Boring jobs (0, Flamebait)

suitepotato (863945) | more than 9 years ago | (#12989259)

Which is exactly the problem with F/OSS. First, it is overloaded with anti-capitalist yahoos who want everything for free, second, the license structure is befuddling and split between several ideas of how such things should work, and three, you have a zillion people writing a zillion things as the base from which to work with and now you're expected to reign in the chaos and somehow defy the very F/OSS model to make money?

Not conducive to success at all. Meanwhile closed source is still making kick ass money that F/OSS people can only wish they'd ever see. The kind of money that Debian could use.

Re:Boring jobs (0)

Anonymous Coward | more than 9 years ago | (#12989372)

And yet despite all that, the vast majority of computer security breaches happen to closed source software. It looks like the "kick ass money" the customers are spending hasn't been used to develop effective security. The customers of closed source vendors are simply getting ripped off.

Re:Boring jobs (3, Insightful)

SirSlud (67381) | more than 9 years ago | (#12989526)

I understand what you're trying to say with your sig, but when you're as smug as you seem to be, you lose the priviledge of calling somebody else on their biases.

That out of the way, capitalism is about capitalizing labour; that is, putting people together that create more value than if they worked seperately. That is the fundamental reason why we CAN sell things; we're able to capitalize labour and create things for less cost than would be born upon people if everybody created said thing individually.

Statements like your are grossly off the mark. BSD licenses, any other open source licenses that allow you to use the source but not have to open up your own, have helped many a person make money. What folks like you fail to realize is that you use the term open source as if its a catch all for anybody creating software for free. In fact, irony of ironies, the patent system was designed to FORCE your methods and secrets in the open in return for protection from the government. So who's being anticapitalist now? The very tennants of innovation in capitalism are strongly tied to having people share information. The anti-capitalist yahoo's of whom you speak simply have a much broader, more historically acturate understanding of the balance between technological progress and motivation to innovate. I'm not against selling stuff, I'm not against capitalism, I'm simply suggesting that once the fear dies down in a decade or so, and code itself becomes more commoditized, it will be in the interest of those who wanna make a shit load of money to patent software based on the source, not a description of what the thing does.

Look at early patents; its not what you can do, its HOW you do it. Its the means, not the end. Nobody could patent the generation of electricity; only METHODs for generating electriciy. I predict that at the rate of current software patent filing, litigation will become too expensive for the market versus the costs of opening up source in order to protect your invention. I guess thats ironic, given people's fear of open source licenses.

Re:Boring jobs (1)

ignorant_coward (883188) | more than 9 years ago | (#12989494)

Okay, please tell me how you pay for these people who need a paycheck.

Sun, IBM, HP, Novell, Red Hat, SuSE, etc. for non-Debian FOSS development.

Debian doesn't exactly have a profit generation model.

That was the path they chose.

Too many packages? (5, Interesting)

slavemowgli (585321) | more than 9 years ago | (#12989118)

It's just a random thought, but have the Debian people ever contemplated whether their problems in this regard may stem from the fact that they have too many packages? The package list [debian.org] for the latest stable lists an incredible 16834 individual packages, and even though there are many programs which come in different flavours and thus contribute as more than one package, this still is a huge number.

I can certainly see why security management gets a problem here. Maybe the Debian project should cut down on these and see just how many packages are really needed.

Re:Too many packages? (2, Insightful)

sneakers563 (759525) | more than 9 years ago | (#12989196)

I wonder whether it's that, combined with the effort required to backport security fixes to versions that are often (let's face it) several years old. I'm not trying to start a flamewar, but I'm curious, why does backporting a security fix make for a more "stable" program then simply embracing a new version of the software that's been fixed upstream? It seems like the upstream people would do a better job anyway, as they are presumably more familiar with the software to begin with. Or is it when the Debian people say "stable", they mean a stable feature set and not necessarily stable security-wise?

Re:Too many packages? (2, Insightful)

jpc (33615) | more than 9 years ago | (#12989281)


It is certainly the case that many upstream maintainers really dont care about old versions of their software (and if different distros are using different old versions so much the worse). The problem is if it is something that other packages depend on and you end up in a hell of many twisty interfaces all different.

I wouldnt support packages in stable that cannot guarantee to keep their interfaces stable for a reasonable period. They could be available as addons with no guarantees of secutity fixes.

I think the situation is a bit better than it was as interfaces in things like gnome stabilise and people work out how to manage very big very distributed projects like that.

Re:Too many packages? (1)

slavemowgli (585321) | more than 9 years ago | (#12989290)

The idea, I think, is that new versions of a program might introduce behaviour changes that you don't want to force on people running production systems and just updating packages to fix security holes - so yes, that's what I'd say "stable" means. It not only tells you that the software is (supposedly) tested and tried, but also that you will not get unrelated changes even when you update within that branch.

This is why projects will often release updates to older branches when a security hole is found, too.

Re:Too many packages? (1)

CAPSLOCK2000 (27149) | more than 9 years ago | (#12989302)

You shouldn't read stable as in "doesn't crash" but as in "doesn't change".
A newer upstream version may be very different from the older version, eg by having a different format for the configuration file. This is a pure nightmare for system administrators.
Debian's way of doing stable is one of the reasons why the corporate world likes it so much.

Re:Too many packages? (4, Insightful)

lakeland (218447) | more than 9 years ago | (#12989320)

Consider a situation where a server has been set up and is running well in a company. That server has been working for several years, and while it may not have whiz-bang features, it keeps working every day just as well as it did the day before -- nothing ever breaks.

Now, if a security issue is discovered in a package running on that machine, they do not want to upgrade to the latest release because they would worry about what it changes -- they want that one issue fixed and everything else to continue the same as before. Debian Stable is designed for people like this, the joke at the end of your post was actually close to the truth -- people really do want debian stable to be stable feature wise.

Consider another situation, where somebody wants a fairly reliable and a fairly up-to-date server. When a bug is discovered, and especially security-related bugs, they'd like an updated package. On the other hand, they don't want to be sent the latest buggy software, they'd like it restricted to software that appears pretty stable. Debian Testing is designed for people like this.

It sounds from your post that you cannot imagine people preferring a quirky, somewhat old, consistant distro over one kept up to date with bug fixes. I assure you that there is a large market for the stable distro, but if you are not in that market, there are plenty of others available.

Re:Too many packages? (1)

sneakers563 (759525) | more than 9 years ago | (#12989467)

the joke at the end of your post was actually close to the truth -- people really do want debian stable to be stable feature wise

Actually, I wasn't joking, I wasn't sure if that was really the goal of stable or not.

Granted, I haven't poked around the Debian website in a while, but it seems like they could do a little better job of explaining that. It was always my impression that you didn't get security updates with 'testing' and 'unstable'. Perhaps they should make more of a point of stating that you do, in fact, get security updates with testing and unstable, perhaps even sooner than in stable, but that the behavior/features of the program may change.

Anyway, sorry if I seem totally clueless. I've never really seen anyone explain the stable feature set vs. "no crashes" distinction before.

Build dependencies change (1)

coyote-san (38515) | more than 9 years ago | (#12989427)

I've built my own "unstable on stable libc/perl" packages and after a while dependencies will kill you. The latest version of a package requires A, A requires B, B requires C, and the new version of C breaks a lot of things.

Security backports require more effort, but they're unlikely to trigger cascading updates.

Re:Too many packages? (0)

Anonymous Coward | more than 9 years ago | (#12989451)

but I'm curious, why does backporting a security fix make for a more "stable" program then simply embracing a new version of the software that's been fixed upstream?

I personally hate it when I upgrade a package to a new version and the software subsequently crashes (*cough*postgresql*cough*) because 1) they didn't document changes to the config files and 2) they didn't gracefully handle attempting to operate using an out of date configuration. That's only a small part of what makes Stable stable. You have feature set changes (which image library is your app using this week, and does it or does it not support .gif or .png?), UI changes (Hey, The Gimp looks totally different today than it did yesterday!), and so on...

Re:Too many packages? (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12989199)

Well, they should definitely cut down the packages that are considered "securable" by the core security team. There should be a large category of "contrib" (but that means something funny in Debian, free software that depends on non-free, so a different name...) packages such as minority mail servers and web servers which aren't treated with quite the same importance as postfix and apache, say: if you install them, it invalidates a "main line security" flag.

That's NOT to say the "contrib" packages would be insecure, just that all responsibility for security of the package and its interactions with other packages would be up to the packager and packager user community.

But people's resumes! (1)

Eunuch (844280) | more than 9 years ago | (#12989230)

People need these packages in Debian to help their career! They wrote something primarily to get a job. Suddenly a bunch of resumes are outdated. Jobs, jobs, jobs!!!

Re:Too many packages? (5, Funny)

Chmarr (18662) | more than 9 years ago | (#12989276)

Well, it works for the OpenBSD people... OpenBSD is the most secure system out of the box because the box is really small, and it's hard to get it open :)

My karma is now really, really shot.

Re:Too many packages? (1)

slavemowgli (585321) | more than 9 years ago | (#12989323)

True. :) But it should be said that if you go beyond the basic system and add packages, OpenBSD can suffer from the same problem - packages *do* get fixed when security holes are found, of course, but they're not generally taken as seriously as the base system.

Of course, the fact that there *is* a base system that does not come in the form of packages (in the sense of pkg_addable ones, that is - the base system tarballs don't count as packages in that regard) is one thing that sets OpenBSD (and, from what I gather, *BSD in general) apart from Linux distros. Debian would probably be well-advised to adopt a similar policy, where more important packages get priority, if they don't have one in place already.

Re:Too many packages? (1)

kaarlov (259057) | more than 9 years ago | (#12989289)

And most of those packages are for eleven different architectures. Yes, I know that they don't neccessary wait ARM-version to compile before releasing the fix for i386, but it still adds lots of work to testing.

And many of those packages are not really supported by anyone. And there is no good way to track, what is the status of support in packages you are using. Of course you can check a bug database, and if you find security bug filed and not fixed in six months or more, you can draw your own conclusions.

The current situation, however, can be taken care of by making sure that there are enough trusted people authorized to issue security fixes as soon as they are fixed and tested.

There was a discussion a while ago about dropping some of the architectures to "second class". I don't know what was the result of it (if anything) but maybe they should divide the packages into two groups as well. It could be helpful for the release process as well, and if there were smaller number of "premium" packages which are more or less guaranteed to be actively maintained, it would help users to assess the security status of their Debian installations more easily.

Re:Too many packages? (2, Informative)

arivanov (12034) | more than 9 years ago | (#12989294)

That is not the problem. Problem is elsewhere.

Redhat supports x86, x86_64, i64 and some power and zSeries stuff. Compared to that Debian supports Alpha, ARM, HP PA-RISC, Intel x86, Intel IA-64, Motorola 680x0, MIPS, MIPS (DEC), PowerPC, IBM S/390, SPARC. It also has the outrageously silly policy of trying to release updates for all of them at the same time.

Frankly, all the "problematic" architectures for which there are build problems are "security through obscurity" by themselves. If an update for them is delayed by up to 2 weeks it is usually a "Who cares, only two living people know how to write an exploit for this platform anyway".

Re:Too many packages? (1)

Just Some Guy (3352) | more than 9 years ago | (#12989300)

At this second, FreeBSD's ports collection has 13127 entries, which probably puts it close to Debian's equal by the time you weed out multiple versions of Debian packages. Is FreeBSD having the same problems, or are they handling the situation, or are they just ignoring it?

Re:Too many packages? (1)

ArmorFiend (151674) | more than 9 years ago | (#12989499)

My impression is they just ignore it. But then, I'm just a noob.

But their package compilation system looks a lot like:


tar -zxf foo.tar.gz
cd foo
make
make-install

That doesn't seem like a distribution-maintained package at all.

hobbyist OS? (2, Insightful)

OffTheLip (636691) | more than 9 years ago | (#12989137)

Not to start a flamewar (well maybe a little) - OSS will need to meet the challenge of managing all of the little details of a widely acceted OS. Red Hat is grapling with that problem now with some suceess. Having what you believe to be a better widget is not enough.

Bits of News (2, Interesting)

Masq666 (861213) | more than 9 years ago | (#12989146)

I originally posted this on http://bitsofnews.com/ [bitsofnews.com] but decided to post it on Slashdot also. It's a bit sad though that Debian is struggling with it's security updates, Debian used to be a nice distro but i've changed to Suse myself due to the lack og updates.

Let it go Louie (2, Insightful)

inherent monkey love (875830) | more than 9 years ago | (#12989155)

Yes, Debian was *the* technically superior linux distribution for a long time. Those days are pretty much over folks. In fact, I'm surprised that the "BSD is dead" crowd doesn't have a similar mantra for Debian.

There are plenty of well-managed, technically sweet linux distributions out there. Some of them even use apt as their package manager. Let's just agree to learn from what Debian was, and move on to something better. I'll leave the holy war of what "something better" is to the rest of the zealots.

Re:Let it go Louie (2, Funny)

Ingolfke (515826) | more than 9 years ago | (#12989278)

Ah yes, it sounds like Debian has followed Gentoo and BSD down the bath to oblivion.

Debian alternatives? (1)

RelliK (4466) | more than 9 years ago | (#12989164)

So, if you've used Debian before and then migrated to something else, do tell. Is there anything that compares to apt-get? (no, urpmi is NOT it).

Re:Debian alternatives? (1)

BrianHursey (738430) | more than 9 years ago | (#12989225)

I went from using debian for 3 years to gentoo this past winter.. I like portage. It is not as fast as apt but you get all your programs compiled specifically for your system. For me with an older laptop that makes life much easier.

Re:Debian alternatives? (1, Informative)

Anonymous Coward | more than 9 years ago | (#12989229)

I tried Fedora with yum and it was surprisingly good. However, Ubuntu and apt-get has been great and that's what I've been using lately.

Re:Debian alternatives? (1)

Ingolfke (515826) | more than 9 years ago | (#12989263)

I use this [microsoft.com] and this [cygwin.com] and it works like a charm.

Re:Debian alternatives? (1)

Chmarr (18662) | more than 9 years ago | (#12989314)

'yum update' (for RPM-style distributions) works very nicely, thank you.

However, while it does feel like a 'front end to rpm' much more than apt-get feels like a front end to dpkg... that's just fine by me. I LIKE things that are distinctly layered

Re:Debian alternatives? (1)

swv3752 (187722) | more than 9 years ago | (#12989330)

Mandrake/Mandriva with urpmi.

RPM is a technicaly better package manager than dpkg. With the sources list updated, there have been no dependancy hell problems. It automatically download and installs packages and thier dependancies. It works better than YUM, works better and quicker than portage, and is at least as good (many ways superior but only because a better maintained servers list) as apt-rpm.

Re:Debian alternatives? (1)

tulsadsl (794599) | more than 9 years ago | (#12989362)

I too have gone the Ubuntu route, and I'm quite happy with it. I take that back, I'm frankly ecstatic about it. I've spent most of my life on Windows, but moving a couple of my servers to Ubuntu has saved me a ton of headaches, not to mention It's helped me touch up some skills.

Re:Debian alternatives? (1)

snorklewacker (836663) | more than 9 years ago | (#12989519)

Ubuntu takes debian's "no patches except for security, EVER" as well, and then still expects to have a desktop system that end-users will want to use.

As long as you don't use firefox. The only way to get any extensions or themes with Ubuntu's version of Firefox is to go into about:config and manually edit the vendor_sub version string yourself. Ubuntu can't be bothered to do this because, well, it could constitute a patch. Their answer is to wait 4 months or so for Breezy, which will then have its own updated snapshot that will then never have anything upgraded that isn't strictly security-related.

I find this inflexible adherence to procedure simply mindless. I would prefer a distribution that's stable because maintainers actually exercise good judgement.

Re:Debian alternatives? (1)

KenFury (55827) | more than 9 years ago | (#12989391)

I have used Debian since 2000 or so and have slowly been moving boxes to freebsd for the last 6 months or so. It was everything I loved in Debian, files are put in sane places, stable, not bleeding edge but current enough. It also had a good sized community that in a lot of way reminds me of debian. And going to your question it had a package management system that actualy works. Since freeBSD had come out with the 6-current series it even had a "Sid".

Re:Debian alternatives? (2, Informative)

Just Some Guy (3352) | more than 9 years ago | (#12989447)

I'm also in the moved-to-Gentoo camp, although I also use FreeBSD in a lot of places (including several desktops). I guess I like the extra configurability of source-based systems over binary Linux distros.

For example, Debian currently lets me choose between "openssh-client" version 4.1p1-4, or "ssh-krb5" version 3.8.1p1-8; I have to pick between a recent version or Kerberos support.

I still like Debian and its derivatives, but I decided that it imposed constraints that I was not personally willing to work under.

Don't even get me started on the unavailability of X.org and KDE 3.4. Although there's nothing about source-based system that makes them inherently more up-to-date, it seems like the big names (FreeBSD and Gentoo) seem to do a better job of it than the binary distros have been able to manage. Perhaps there's something to be said for supporting a relatively small number of hardware platforms. Gentoo even supports platform-specific versioning, so x86 users can play with the latest and greatest apps, even if they don't build on m68k.

To each his own, of course. Those are the reasons I made my decision, but I'm sure they're far from universal.

This is impossible. (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#12989180)

Everybody knows that there are no problems whatsoever with Linux or Open Source Software / Free Software. Anybody who claims otherwise is a Micro$oft (the '$' IS mandatory!) shill and should be disregarded.

All hail Linux!

No Surprise (0, Flamebait)

RickHunter (103108) | more than 9 years ago | (#12989194)

This shouldn't surprise anyone who's had to deal with a lot of Debian developers. The KDE ones, for example, constantly complain - on public mailing lists, no less! - about being too busy to forward bugs to upstream or merge in fixes. There are some amazing people working for the project, but also a lot of clowns who want to ride the name.

Current issues (2, Informative)

cortana (588495) | more than 9 years ago | (#12989213)

http://newraff.debian.org/~joeyh/stable-security.h tml [debian.org] is an incomplete list of issues currently affecting stable. It's not 100% correct; in addition to the provisos at the top of the page, it doesn't seem to know about recent updates such as this morning's Gaim update [debian.org] .

welp.. (0)

Anonymous Coward | more than 9 years ago | (#12989222)

I guess the old saying "you get what you pay for" comes in to play here. I'm not suprised that nobody wants to secure the OS - they aren't getting paid for it.

You'd have better luck walking up to some stranger on the street & asking for 3 months of uninterrupted charity work. That's basically what debian needs to survive, times ten.

Is unstable possibly better? (1)

sneakers563 (759525) | more than 9 years ago | (#12989237)

I wonder, if unstable get's the "latest and greatest", so to speak, are there times that it gets security fixes before "stable"? The article mentions that Gentoo got a fix before Debian, presumably when it was fixed upstream. Did Debian unstable get the fix at the same time?

Ubuntu (1, Troll)

Apreche (239272) | more than 9 years ago | (#12989246)

This is at least partially because the attention that Ubuntu is getting. And rightfully so. IMHO in most situations today, especially desktop situations, an Ubuntu install is vastly preferred to a Debian install. It is the same Debian quality you are used to while simultaneously being even easier than Fedora.

I'm not saying kill Debian, everyone bail to Ubuntu. I'm saying that there is competition for manpower in the open source world. And in a capitalistic/darwinistic manner it's going to be the fittest that survive. And if another project takes your manpower away because it is better in some aspects, then that is what will happen.

I've used Debian and I've used Ubuntu. And I can say that I no longer find much reason to use Debian anymore at all. This story doesn't surprise me in the least.

Troubles headed downstream? (0)

Anonymous Coward | more than 9 years ago | (#12989251)

How are the downstream distributions coping with the upstream problems?

The Debian site, http://www.debian.org/misc/children-distros [debian.org] , itself lists over 30 children distributions.

Security support is ill-suited to open source (4, Insightful)

cperciva (102828) | more than 9 years ago | (#12989304)

Woah! Wait a moment before you start flaming me on the basis of my subject line...

The problem of providing security support is ill-suited to being solved by the traditional "mob of volunteers" approach which describes most open source development. When you're doing development, it doesn't matter if you have five people coding one week and nobody doing any coding the next week; but when it comes to dealing with a constant stream of security issues which are being reported (in particular, from upstream vendors), it is important to guarantee that there will be someone around to deal with them. When the entire security team consists of people who have other full-time jobs, it's impossible to make sure that someone will be around when they are needed.

The job of "security officer" is really one which should be a job, not a role-played-by-a-volunteer. Go out and raise some money to pay for your security officer, so that he is able to always be available when he is needed, because if he needs to get some other job to support himself, he won't be around when you need him.

OpenID eh? Nay nay. (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12989448)

Michael Stone,... Expressed his frustration... Saying there was no effective tracking of security problems

Maybe they should be using OpenID, eh? This is my first post on ./

Now mod me +5 funny or I'll come in the night eh castrate you a-la-sin-city-style.

Laugh. Itsajoke.

This makes me laugh... (0)

Anonymous Coward | more than 9 years ago | (#12989509)

Sorry! But Debian doesn't need constant upgrades!

It is already sooo much more secure than everybody's favorite whipping boy, Windows, that I don't need @#$%%^^... [NO CARRIER]

Just a bad joke! I am still here and so are most people running Debian. The only ones who dropped off are Windows users, whose machines show a lifetime of about 12 minutes connected to the Web unprotected!

Blow me, Windows users! When you can show an unprotected corruption time even approaching 12 minutes for Debian, then post this again!
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?