Debian Struggling With Security 264
Masq666 wrote to mention a ZDNet article discussing difficulties Debian is having with security updates. From the article: "...Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems."
Solution is obvious, move to Windows (Score:5, Funny)
Re:Solution is obvious, move to Windows (Score:5, Funny)
Too bad none of them work at Microsoft :(
Re:Close: Switch to OS X (Score:3, Informative)
1. More secure? Not true. All Operating Systems have problems, closed sources Operating Systems have more problems than others becuase there are fewer people viewing and fixing the bugs and other problems. An Operating System's security depends greatly on the configuration and administration not t
Re:Close: Switch to OS X (Score:3, Insightful)
No, not really. The kernel is Apple's own creation (Xnu, I think they call it, but I'm not positive on that). As I recall, it's a Mach-derived kernel. The user-space is all FreeBSD-based, but the core microkernel is not.
And Apple owns more than just the GUI. They own the APIs, too. You know, CoreFoundation, Cocoa, Carbon, all those fancy things that allow Mac developers to quickly and
Re:Close: Switch to OS X (Score:3, Insightful)
The lead post is titled "Debian Struggling With Security," in part because the Debian team is short-handed.
There are 200 or so Linux distros. But Open Source doesn't magically endow you with the organization, money and manpower needed to maintain any one of them.
4. Built for idiots that rather the computer maintain control. I, on the otherhand, like to con
Re:Close: Switch to OS X (Score:2)
Re:Close: Switch to OS X (Score:2)
As far as OS X being FreeBSD is absurd and I should have stated that more c
Pick any two (Score:5, Insightful)
Pick any two.
(General rule, but it does generally follow)
Re:Pick any two (Score:4, Funny)
Re:Pick any two (Score:2)
Re:Pick any two (Score:5, Interesting)
The problem is not that you can't mix those three in debian particular setting, it's that the debian team seems to serverely lack redundancy. Read: one person has obligations somewhere else and the whole stable security updates process hangs !
I really hope that Debian is going to make something about it fast, and in a definitive way. I don't want to run something else than debian, really. But this is really embarassing, especially if you have production servers running sarge. And this situation ain't new, Slashdot was very slow to catch it but i read about it last week. Things haven't moved a lot since (well 1 security update was released, but some major exploits have been found in iirc at least two other packages, and nothing coming yet... Other distros had everything fixed by the end of last month)
I think Debian should clarify the issue, and call for help if it's necessary. And maybe simplify the whole debian democratic process if as it seems from the outside every decision has to go through days and days of pointless discussion.
Re:Pick any two (Score:2, Interesting)
Slackware is convenient (I Know that many will say otherwise, but if you have Unix experience, it's the best solution, really easy to manage)-
It's cheap, it doesn't contain any proprietary software.
Also, Debian can be as safe as Slackware, the problem with this kind of Distro (Debian) is that the people using it pretends that someone else takes care of their security. A Sysadmin doesn't need some stupid organization to submit patches to him automatically or anything like that. He just h
Re:Pick any two (Score:2)
Something like...
cat /var/log/packages | grep foo
? Been a while since I've used Slack, but it's something like that. It's not like the package info just disappears into thin air or something. If the pipe offends your aesthetic sensibilities, just make a script or an alias for it.
simple solution (Score:5, Funny)
Problem Solved.
(Its funny. Laugh.)
Re:simple solution (Score:2, Funny)
Re:simple solution (Score:2, Funny)
Re:simple solution (Score:2)
there was no effective tracking of security probl (Score:3, Funny)
Now that this has been published on /. it will have to be revised to "no effective tracking of security problems by the good guys".
How the mighty have fallen... (Score:4, Insightful)
I wish the debian team all the luck in the world in fixing this matter. They're in a difficult position now that they're both lagging behind (though much less so than a while back) and cannot claim unparalleled reliability.
Re:How the mighty have fallen... (Score:3, Insightful)
I think this is probably part of the problem... too many people are wishing them luck and not enough people are actually doing anything to address the problem.
Re:How the mighty have fallen... (Score:2)
I think this is probably part of the problem... too many people are wishing them luck and not enough people are actually doing anything to address the problem.
Well you have to admit, the Debian elite have not exactly been known to welcome new users with open arms. Don't get me wrong, I really have a great admiration for their work, but it would seem to me the best source of new developers would be from a pool of motivated users.
Re:How the mighty have fallen... (Score:2)
And if someone wants to see security updates for this specific architecture (ARM) they might as well donate. The only ARM motherboards useable for a build system are the developer toolkits and these cost money.
Build systems shouldn't be an issue... (Score:2)
I know of vendors that support equipment they don't have a single sample of. Of course, they warn their customers and typically have one or a very small number of early-adopter customers who maybe get a good price break or simply want new features enough to explicitly desire bleeding edge to serve as testing for their releases.
Re:How the mighty have fallen... (Score:5, Insightful)
It would be a hell of a lot easier if they only supported X86 architecture like all those other Distros you refer to as the ones to lag behind.
I think what they really suffer from, and I am not expert, is politics of a large system and the perception of lots of power sitting on top. I could be wrong.
Regardless of what anyone might want to say against Debian, I still believe that they are extremely good at what they do and don't get credit for it. There is no other distro out there that attempts to support as many architectures as effectively (or at all) and if Debian decided to just delete them all except X86/X86-64 then their job would be a hell of a lot easier to execute.
Re:How the mighty have fallen... (Score:5, Insightful)
It might be better in some respects if Debian were x86 only like everybody else but we would all be poorer for it.
Re:How the mighty have fallen... (Score:2)
Perhaps it is better to say Debian's team contributed to XFree86's stability on multiple platforms.
Re:How the mighty have fallen... (Score:2)
Actually, I do think you're wrong, but I am biased in that I'm a Debian Developer. Developers only have to get involved in "politics" if they really wish, but the bulk of developers happily work on the half-a-dozen or so packages they're maintaining and leave the "politics" to the people who care about them. I consider myself amongst this group
Now If This Was Microsoft... (Score:3, Insightful)
But since it's not Microsoft, it's a fairly sober writeup, and Microsoft jokes would just follow a little bit later.
Funny how things work here at slashdot. no i'm not new here. I'd just figure some people would grow up sooner or later.
Re:Now If This Was Microsoft... (Score:2)
Come to think of it, perhaps they're all working at Microsoft? Or maybe Microsoft could help out the Debian guys by funding some FTEs for Debian's security team, since it will help secure the Internet (which runs for a large part on Debian sys
Re:Now If This Was Microsoft... (Score:3, Funny)
Come with me... I have a bridge to sell you...
Re:Now If This Was Microsoft... (Score:2)
I am a pedant, not a zealot. As a result, I will be deriving enormous pleasure from correcting your misspelling of "enourmously" [sic]. Thank you for playing.
HAND.
Re:Now If This Was Microsoft... (Score:4, Insightful)
Oh we do indeed grow up. Unfortunately Slashdot has an unending supply of new posters straight out of kindergarten who have no problems at all firmly believing in the rightness of double standards and the logic of conflicting axioms.
Re:Now If This Was Microsoft... (Score:2, Funny)
Re:Now If This Was Microsoft... (Score:5, Insightful)
Debian security guys tend to have an attitude of trying to do things right. You're talking about the same people that chose to stop everything when they were compromised last year (and that was two days before a woody revision release). It's no surprise that people think of them as a good team without the necesary resources that need help. After all, they appear to do what they can with whatever resources they've got.
Microsoft, however, is known for turning a blind eye to big problems, trusting no one will find out and trying to NDA the hell out of everyone. Considering people pay big $$$ to them, and they do play dumb more often than they should, guess what the attitude toward them would be.
MS has been doing things a little better lately, but years of treating security like they did in the '90s aren't forgotten that easily.
I like Debian, and really hope they can solve their staff shortage. I wouldn't like them to go under because of this.
I'm increasingly concluding (Score:2)
You don't actually have a point at all.
Boring jobs (Score:4, Insightful)
It isn't any suprise that the boring and the mundane tasks fall short in manpower.
This is why there needs to be more commercial involvement in FOSS, so that people who just want a day job and a paycheck can do these sorts of things.
Re:Boring jobs (Score:2)
Sun, IBM, HP, Novell, Red Hat, SuSE, etc. for non-Debian FOSS development.
Debian doesn't exactly have a profit generation model.
That was the path they chose.
Re:Boring jobs (Score:4, Insightful)
That out of the way, capitalism is about capitalizing labour; that is, putting people together that create more value than if they worked seperately. That is the fundamental reason why we CAN sell things; we're able to capitalize labour and create things for less cost than would be born upon people if everybody created said thing individually.
Statements like your are grossly off the mark. BSD licenses, any other open source licenses that allow you to use the source but not have to open up your own, have helped many a person make money. What folks like you fail to realize is that you use the term open source as if its a catch all for anybody creating software for free. In fact, irony of ironies, the patent system was designed to FORCE your methods and secrets in the open in return for protection from the government. So who's being anticapitalist now? The very tennants of innovation in capitalism are strongly tied to having people share information. The anti-capitalist yahoo's of whom you speak simply have a much broader, more historically acturate understanding of the balance between technological progress and motivation to innovate. I'm not against selling stuff, I'm not against capitalism, I'm simply suggesting that once the fear dies down in a decade or so, and code itself becomes more commoditized, it will be in the interest of those who wanna make a shit load of money to patent software based on the source, not a description of what the thing does.
Look at early patents; its not what you can do, its HOW you do it. Its the means, not the end. Nobody could patent the generation of electricity; only METHODs for generating electriciy. I predict that at the rate of current software patent filing, litigation will become too expensive for the market versus the costs of opening up source in order to protect your invention. I guess thats ironic, given people's fear of open source licenses.
Too many packages? (Score:5, Interesting)
I can certainly see why security management gets a problem here. Maybe the Debian project should cut down on these and see just how many packages are really needed.
Re:Too many packages? (Score:3, Insightful)
Re:Too many packages? (Score:3, Insightful)
It is certainly the case that many upstream maintainers really dont care about old versions of their software (and if different distros are using different old versions so much the worse). The problem is if it is something that other packages depend on and you end up in a hell of many twisty interfaces all different.
I wouldnt support packages in stable that cannot guarantee to keep their interfaces stable for a reasonable period. They could be available as addons with no guarantees of secutity fixes.
I thi
Re:Too many packages? (Score:2)
This is why projects will often release updates to older branches when a security hole is found, too
Re:Too many packages? (Score:4, Insightful)
Now, if a security issue is discovered in a package running on that machine, they do not want to upgrade to the latest release because they would worry about what it changes -- they want that one issue fixed and everything else to continue the same as before. Debian Stable is designed for people like this, the joke at the end of your post was actually close to the truth -- people really do want debian stable to be stable feature wise.
Consider another situation, where somebody wants a fairly reliable and a fairly up-to-date server. When a bug is discovered, and especially security-related bugs, they'd like an updated package. On the other hand, they don't want to be sent the latest buggy software, they'd like it restricted to software that appears pretty stable. Debian Testing is designed for people like this.
It sounds from your post that you cannot imagine people preferring a quirky, somewhat old, consistant distro over one kept up to date with bug fixes. I assure you that there is a large market for the stable distro, but if you are not in that market, there are plenty of others available.
Re:Too many packages? (Score:2)
Actually, I wasn't joking, I wasn't sure if that was really the goal of stable or not.
Granted, I haven't poked around the Debian website in a while, but it seems like they could do a little better job of explaining that. It was always my impression that you didn't get security updates with 'testing' and 'unstable'. Perhaps they should make more of a point of stating that yo
Re:Too many packages? (Score:2)
This is (technically) correct. However, whenever a security bug is discovered in an unstable package, the uploaded version fixing it (usually just upgrading to the very latest package) is installed within a day -- some of the nomal double checking is bypassed for speed. Since fixing security bugs in unstable is so much easier than in stable, it happens quickly.
Similarly for testing, any bugfix that corrects a s
Re:Too many packages? (Score:2)
Re:Too many packages? (Score:2)
Build dependencies change (Score:2)
Security backports require more effort, but they're unlikely to trigger cascading updates.
Re:Too many packages? (Score:3, Insightful)
I think that's precisely it.
I just left a job where all the Linux machines were running Debian Stable [Woody], unless there was a specific requirement for something else (e.g. a commercial application that wouldn't run reliably on anything but RHEL).
Everything was buggy as hell, but the admins were okay with this, because it was "stable". Desktop applications had thorougly well do
Re:Too many packages? (Score:5, Funny)
My karma is now really, really shot.
Re:Too many packages? (Score:2)
Of course, the fact that there *is* a base system that does not come in the form of packages (in the sense of pkg_addable ones, that is - the base system tarballs don't count as packages in that regard) is one thing that sets OpenBSD (and, from what
Re:Too many packages? (Score:3, Informative)
Redhat supports x86, x86_64, i64 and some power and zSeries stuff. Compared to that Debian supports Alpha, ARM, HP PA-RISC, Intel x86, Intel IA-64, Motorola 680x0, MIPS, MIPS (DEC), PowerPC, IBM S/390, SPARC. It also has the outrageously silly policy of trying to release updates for all of them at the same time.
Frankly, all the "problematic" architectures for which there are build problems are "security through obscurity" by themselves. If an update for them i
Re:Too many packages? (Score:2)
Re:Too many packages? (Score:3, Informative)
It is outrageously silly.
Ever tried to write shellcode for Alpha? It was even thought to be impossible for more then 5 years until someone published a way to do some limited borderline cases in 2000.
Ever tried to write shellcode for 680xx? Same as above, even harder due to the protection model vagaries.
Basically these arches use a different protection model and instruction encoding from x86. Both of these make writing shellcode nearly impossible.
So on, so fourth.
Re:Too many packages? (Score:2)
Re:Too many packages? (Score:2)
But their package compilation system looks a lot like:
tar -zxf foo.tar.gz
cd foo
make
make-install
That doesn't seem like a distribution-maintained package at all.
Re:Too many packages? (Score:2)
They make quite a few binary packages available [freebsd.org].
That doesn't seem like a distribution-maintained package at all.
Is there a fundamental difference between providing a binary archive, and distributing the tools for users to automatically create exact copies of that archive?
Re:Too many packages? (Score:2)
Almost (Score:2)
More like:
And after you install CVS to update your ports tree you get the newer versions. Granted, it's not releasing fixes for the old ones, but saying there is no consistent way of doing stuff in FreeBSD is just flat out wrong.
Re:Too many packages? (Score:2)
That's one announcement every three days, more or less. And that's counting that those have been filed against the old debian stable (only more than 800 packages). With 14000, they're going to have more
But freebsd security team just cares about the "core" system packages not about the 13000 ports. So it's not the same, but you get the idea: The work behing the debian security team is HUGE
s/800/8000/ (Score:2)
Re:Too many packages? (Score:5, Informative)
The FreeBSD base system is supported quite well, although we have had occasional manpower problems (e.g., when one member of the security team is travelling around Japan on work, one member is writing his doctoral thesis, another member is job-hunting, et cetera).
The FreeBSD ports tree is supported on a "best effort" basis -- we make no guarantees, but we do our best.
Re:Too many packages? (Score:2)
They won't release a security update until they have it working across all architectures.
Given that some of them are for remarkably slow hardware, it can take a while to compile and test.
Hence, debian security releases happen at the speed of the slowest.
Not ideal really.
The sudo hole was reported and fixed in openbsd about two weeks before debian. In gentoo and ubuntu about one week before debian.
hobbyist OS? (Score:2, Insightful)
Bits of News (Score:2, Interesting)
Debian alternatives? (Score:2)
Re:Debian alternatives? (Score:2)
Re:Debian alternatives? (Score:2)
However, while it does feel like a 'front end to rpm' much more than apt-get feels like a front end to dpkg... that's just fine by me. I LIKE things that are distinctly layered
Re:Debian alternatives? (Score:2)
Re:Debian alternatives? (Score:2)
Re:Debian alternatives? (Score:2)
Re:Debian alternatives? (Score:2)
Re:Debian alternatives? (Score:2)
RPM is a technicaly better package manager than dpkg. With the sources list updated, there have been no dependancy hell problems. It automatically download and installs packages and thier dependancies. It works better than YUM, works better and quicker than portage, and is at least as good (many ways superior but only because a better maintained servers list) as apt-rpm.
Re:Debian alternatives? (Score:2)
Re:Debian alternatives? (Score:3, Informative)
For example, Debian currently lets me choose between "openssh-client" version 4.1p1-4, or "ssh-krb5" version 3.8.1p1-8; I have to pick between a recent version or Kerberos support.
I still like Debian and its derivatives, but I decided that it imposed constraints that I was not personally willing to
*BSD. (Score:3, Informative)
All of the BSDs currently have excellent package-management systems that can elegantly handle both binary and source packages. pkgsrc in particular is a really nice system---further, it has the advantage of not being tied to one OS. Although it is developed primarily for NetBSD [netbsd.org], it can be used from any of the other BSDs, Linux, several Unices, and even Windows (with Internix, i.e. Windows Services for Unix [microsoft.com]).
In fact, it's definitely worth checking NetBSD out; the 2.x line has been really interesting, and d
Re:Debian alternatives? (Score:2, Interesting)
i notice noone responded to your question *yet* so i'll give me
nothing *compares*, but you have to compare apples with apples.
and since debian is well, only debian, i can only add that Synaptic (graphical front end) for apt-get is alot easier to use when you want to install or change alot of programs.
I also notice quite a few of the *other* distros are implementing apt-get/synaptic with their releases, in addition to whatever else they would normaly have as default (ie urpmi, Kpackage, et
Re:Debian alternatives? (Score:2)
As long as you don't use firefox. The only way to get any extensions or themes with Ubuntu's version of Firefox is to go into about:config and manually edit the vendor_sub version string yourself. Ubuntu can't be bothered to do this because, well, it could constitute a patch. Their answer is to wait 4 months or so for Breezy, which will then have its own u
Re:Debian alternatives? (Score:2)
I find it very appealing. Have your computer just like it is for 6 months, then get a "freshening up", and then have it like that for another 6 months. No trouble in between. The firefox issue is annoying, though, and I think they won't do things like that again.
Current issues (Score:3, Informative)
Is unstable possibly better? (Score:2)
Re:Is unstable possibly better? (Score:2, Informative)
Of course, unstable is what it says. You get new features, different behavior and even broken software all the time. Not very good thing in production enviroment. And right now there's some major changes going on in the unstable (C++ ABI and Xorg transition) and I
Re:Is unstable possibly better? (Score:2, Informative)
Security support is ill-suited to open source (Score:5, Insightful)
The problem of providing security support is ill-suited to being solved by the traditional "mob of volunteers" approach which describes most open source development. When you're doing development, it doesn't matter if you have five people coding one week and nobody doing any coding the next week; but when it comes to dealing with a constant stream of security issues which are being reported (in particular, from upstream vendors), it is important to guarantee that there will be someone around to deal with them. When the entire security team consists of people who have other full-time jobs, it's impossible to make sure that someone will be around when they are needed.
The job of "security officer" is really one which should be a job, not a role-played-by-a-volunteer. Go out and raise some money to pay for your security officer, so that he is able to always be available when he is needed, because if he needs to get some other job to support himself, he won't be around when you need him.
Here's why your wrong (Score:5, Insightful)
Your wrongly basing your entire arguement on the idea that OSS programmer(s)=loner(s) with other "real" jobs. That is simply not the case for many OSS projects. Commercial OSS companies like Red Hat, Suse/Novell, et al are and have been the driving force in OSS for some time now. Look at any big distro, any major software project etc and at this point chances are they are being bankrolled and supported by commercial copanies that are paying people to work on them and deal with things like security issues. And if a popular project has a security flaw that an author won't address, and distros won't fix because its not part of their distro...well you know the deal, use the source luke.
I see what your trying to say but again your arguement is flawed as "traditional" OSS development no longer means unpaid and non-commercial. I don't think that the people buying Red Hat linux and getting security support for years and years would share the same viewpoint. And I also don't think that commercial companies put more into security than OSS programmers do. History just doesn't show that.
For version
OSS is particulary well suited to dealing with security issues IMHO and the problems it has with security are more or less the same problems that commercial software makers face. Your floating down a well known river in Egypt if you think that in the commercial world all projects have people who are paid to soley to work on security.
I'm having with phrase composition. (Score:2)
A lot of assumptions for a page and a half article (Score:4, Insightful)
Therefore, it would follow that if 4% of Debian packages had security vulnerabilities that would equate to a substantially greater number of packages than would the same 4% of Red Hat packages.
The other important thing to keep in mind is that it's unlikely many users would install all zillion packages at one time.
Finally, the article implies Debian and Red Hat are in competition. However, as literate geeks will know, Debian is the OS of "Software in the Public Interest" http://www.spi-inc.org/about [spi-inc.org] which is a non-profit entity. Therefore, while one could argue that Red Hat (a for-profit enterprise) and Debian are in competition for userbase, by no means are they in direct competition for 'business'.
*Debian website says "over 15490." Which begs the question, how many more than 15490? 15491?
Zdnet: do some fact checking next time (Score:4, Informative)
http://kitenet.net/~joey/blog/entry/secfud-2005-0
Re:I ditched debian over the weekend (Score:2, Interesting)
Re:I ditched debian over the weekend (Score:2)
Re:I ditched debian over the weekend (Score:2)
Re:The most secure option (Score:3, Funny)
Re:Let it go Louie (Score:3, Funny)
Re:Let it go Louie (Score:2)
Re:Let it go Louie (Score:5, Insightful)
Bullshit. All the technically sweet linux distributions out there which use apt are more or less resting on debian's shoulders. If you watch the security changelogs - or the regular changelogs - of ubuntu packages, you'll see that nine out of ten get made by debian, adapted to ubuntu and thrown to the ubuntu servers. Some are just renamed to "-ubuntu" and passed on. And a very few are actually maintained by ubuntu themselves.
We can't move on. Much of the linux community depends on a well-functioning debian organization. They are lacking man-power to keep their security updates as fast as the multi-employee-distributions. That doesn't mean they're technically behind, and that we have something better to move to. Although the commercial distros would love that.
Re:Let it go Louie (Score:2, Interesting)
Re:Let it go Louie (Score:2)
Or you could just look on Ubuntu's web page on the matter. [ubuntulinux.org] It's no secret that without Debian, there would be no Ubuntu.
parent Flamebait (Score:4, Insightful)
Debian is much more than a distribution. And there is unfortunately nothing better than Debian (as in the distro) to move on to. There is a reason why many distributions are build on Debian.
Please point me to a distro that can manage version upgrades even half as gracefully as Debian.
There was a discussion about Ubuntu on Slashdot and it was argued that if Ubuntu continues to be diverge further from sid and stay incompatible it will eventually dissolve, because the team will never be able to support the huge package base.
I am a desktop Linux user that started out with Debian 2.1 Slink and I also have the feeling that Debian has had some major issues lately.
About the security issue:
Heise security published it first 10 days ago:
http://www.heise.de/newsticker/meldung/61076 [heise.de]
As a result of this a discussion on the Debian security mailing list ensued:
http://lists.debian.org/debian-security/2005/06/m
Heise Online then reported on that as a result of that discussion:
http://www.heise.de/newsticker/meldung/61125 [heise.de]
For those that can't read German the article says that of the five members that should make up the security team four are not active at the moment if they ever were. The only remain one is Martin Schulze aka Joey. He has been pretty busy with the organisation of the Linuxtag. So he was cut off from the action. Debian people are working on the problem.
Everyone that is not satiesfied with the current state of affairs should get their hand dirty helping instead of complaining. After all Debian forms the bases of "plenty of well-managed, technically sweet linux distributions out there".
Like Knoppis, Ubuntu or Xandros. Full list here:
http://www.debian.org/misc/children-distros [debian.org]
your not only a coward, but an.. (Score:2, Insightful)
asshat as well.
if linux users got what they paid for, they'd get nothing, you.. you..you bill hates follower.
I'd rather pay nothing, take that money and either put it towards a hardware router for security (just plug it in).. or save that money for something else fun..and set up a linux software firewall/router (easy, just point&click).
If people didn't have windoz forced on them when they buy in major oulets, they would get used to linux quicker.
at least with linux, when you put the effort into fi
Re:welp.. (Score:2)
It is what it is, and while its character is not that of commercially developed software, progress does continue to be made.