Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Debian Addresses Security Problems

Zonk posted more than 9 years ago | from the quick-turnaround dept.

Security 118

An anonymous reader writes "After suffering manpower shortages and other issues, Debian says it has finally addressed concerns that it was falling behind on security. Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures. It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said. Debian initial security problems can be found in this earlier Slashdot posting."

Sorry! There are no comments related to the filter you selected.

First Post (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13012801)

Mod me down - but debian sucks

Re:First Post (0)

Anonymous Coward | more than 9 years ago | (#13012953)

Mod me down - but debian sucks

One of these two propositions has been verified.

Sarge (0, Offtopic)

Anonymous Coward | more than 9 years ago | (#13012807)

Sarge has been a disappoint for me. DOn't get me wrong, I'm running Sarge right now, but for a release which took such a long time, it should have been more mature, it feels like FC4 now.

I understand the pitfalls of volunteer work when compared to RH & Suse which are corporate funded. But Sarge definitely wasn't worth the wait.

Re:Sarge (1)

mccalli (323026) | more than 9 years ago | (#13012893)

Sarge has been a disappoint for me. DOn't get me wrong, I'm running Sarge right now, but for a release which took such a long time, it should have been more mature, it feels like FC4 now.

Genuine interest here as I'm about to upgrade a Debian server from Woody to Sarge this weekend. What sort of issues have you run into?

Cheers,
Ian

Re:Sarge (1)

Anonymous Coward | more than 9 years ago | (#13012923)

I haven't done any upgrades from Woody to Sarge. We did it on a test machine 2 weeks ago & consensus was that Woody would stay for some more time till issues are sorted out with Sarge.

Re:Sarge (2, Informative)

petermgreen (876956) | more than 9 years ago | (#13012982)

i have one server thats running sendmail rather than the debian standard exim and both aptitude dist-upgrade (the reccomended upgrade method) and apt-get dist-upgrade wanted to remove it even after i manually upgraded it to the sarge version first.

i ended up using apt-get upgrade to upgrade the bulk of the system then upgrading a load of stuff manually with apt-get install and then finally finishing the job with apt-get dist-upgrade

mind you red hat basically tell you too take the system offline and use the installer to upgrade which i find even less desirable than giving apt a bit of assistance with the upgrade process.

before upgrading read the release notes as they document other issues you could run into if you don't take care. but DO NOT follow those instructions blindly always check what apt-get or aptitude plans to remove before saying yes.

Re:Sarge (1)

Anonymous Coward | more than 9 years ago | (#13012994)

My mail server broke. I run postfix and need TLS to communicate with my upstream ISP. (My own IP is scorched earth it seems.) I didn't notice the bustage until a user complained. The bug appears to be 307780 [debian.org] .

Re:Sarge (1)

Donny Smith (567043) | more than 9 years ago | (#13013035)

Check that all rare and/or important packages you use on Woody are also available as stable or testing in the new OS version.

I expected more (it's not that much friendlier/different from Woody and some packages just aren't available) and am migrating this Sarge server to CentOS 4.1 after I complete CentOS tests.

Re:Sarge (0)

Anonymous Coward | more than 9 years ago | (#13014402)

Someone upgraded the server that houses my mail and website to sarge from woody and it was rocky. Lots of crap the admin fixed in a panic fixit session but the mail still got screwed up and the spam filter kinda collapsed.

Debian is a pretty nice server distro but I think people are starting to see it has some real drawbacks just like every distro.

1000 developers? (2, Interesting)

datadriven (699893) | more than 9 years ago | (#13012820)

I thought debian had over 1000 developers. Don't any of them do security?

Re:1000 developers? (4, Insightful)

RAMMS+EIN (578166) | more than 9 years ago | (#13012892)

Being able to write some software and produce packages is very different from doing security. Security is something that many, even in the developer community, don't understand, or don't understand completely. Having someone who isn't completely security savvy declare your program secure does not help you very much.

Plus, Debian likely requires a lot of security people compared to other distro's, because 1) they provide very many packages (I can't say for sure more than any other, but it's likely), and 2) they don't only fix things by upgrading packages in unstable to the latest version, but also backport fixes to the version in stable.

And in the meantime, the rest of the organization needs not to be forgotten. New packages are submitted all the time, people do like to see a new release within their lifetimes, questions have to be answered, (non-security) bugs need to be fixed, etc. etc. etc. Debian is just a huge project, and I'm impressed with how well it works.

Re:1000 developers? (1)

IamTheRealMike (537420) | more than 9 years ago | (#13014423)

What makes you think those guys understand security?

I've seen more than one distro provided security fix be put out for non-existant security issues, that were very obviously non-existant (eg, discussed on the mailing lists and proven to be non-exploitable).

Debian isn't the only group that fixed a non-existant bug (for Wine). Gentoo did it too, for Mozilla. There are probably more examples: these are ones I came across randomly without looking for them.

Re:1000 developers? (5, Informative)

smoking2000 (611012) | more than 9 years ago | (#13012981)

Of those many developers only 5 of them where in the Security team. And of those 5 only one (Brandon) has remained active.

Due to the nature of security issues, the team had tough requirements for new members, which kept fresh blood to enter the team.

Now that this problem got the attention it unfortunatly needed, new members have stepped to the plate to strengthen the security team.

You can read more about the handling of this situation in Brandon's Project Leader Report [debian.org]

Re:1000 developers? (3, Informative)

stevey (64018) | more than 9 years ago | (#13013092)

Branden is not a member of the Debian Security Team. (and his name is spelt with an 'e' not an 'o').

The current members are listed on the Debian Organizational chart [debian.org] - albeit some are less active than others.

Re:1000 developers? (1)

smoking2000 (611012) | more than 9 years ago | (#13013221)

You are correct, I had mistaken Branden for Joey. Two names I see fly by very frequently.

I recalled an email [debian.org] to debian-devel about the security issue, where it was stated that only one member was left active.
Only did I recall the name incorrectly, my apologies for the confusion I may have caused.

Re:1000 developers? (0)

Anonymous Coward | more than 9 years ago | (#13013278)

No problem - I'm must more used to the confusion between the two Joeys when it comes to Debian news!

Re:1000 developers? (2, Informative)

stevey (64018) | more than 9 years ago | (#13013303)

Until recently Joey was the only active member.

In the past couple of weeks Michael Stone has become active again, which has helped.

Re:1000 developers? (0)

Anonymous Coward | more than 9 years ago | (#13014314)

Let's compare this with other organizations.
  • How many developers does Windows have?
  • How long were these debian security holes open?
  • What's the corresponding ratio for Windows?

Good. (2, Funny)

Musteval (817324) | more than 9 years ago | (#13012823)

Because before, Debian was in serious danger of falling behind Windows on the security front.

I wouldn't know (0, Offtopic)

Markus_UW (892365) | more than 9 years ago | (#13012837)

I use slackware, myself, although I was thinking of giving Debian Sarge a try... but the general consensus I've heard from my peers is that it's a letdown. What do you guys think? is it worth a try for a devoted Slacker like me? Or should I try Gentoo, mabe instead?

Re:I wouldn't know (0)

Anonymous Coward | more than 9 years ago | (#13012851)

so much for "devotion"...

Re:I wouldn't know (1, Offtopic)

hotdiggitydawg (881316) | more than 9 years ago | (#13012866)

I work for a large organisation that uses debian exclusively, and we haven't had any security problems whatsoe... CLICK HERE TO BUY V1AGR4!!!

Re:I wouldn't know (0)

Anonymous Coward | more than 9 years ago | (#13012878)

Totally Off-Topic, but as a former Slacker, I recommend Gentoo, if you've got the time to compile all your packages! They've got a *great* community over at gentoo.org, the only thing they lack is gpg-signed packages, but it's in develpoment. It also depends on how paranoid you are, how important it's to you... :-)
I'm running Debian myself right now, and I do not find it bad, but I definitley feel like having more control with Gentoo...

Re:I wouldn't know (1)

Markus_UW (892365) | more than 9 years ago | (#13012900)

Wow, a helpful slashdot post, who would have guessed?

Thank you very much.

Re:I wouldn't know (0)

Anonymous Coward | more than 9 years ago | (#13012884)

Love rice? Use Gentoo.

Re:I wouldn't know (0, Troll)

WilliamSChips (793741) | more than 9 years ago | (#13013660)

Love trolling? Post as AC.

Re:I wouldn't know (1)

Nick Driver (238034) | more than 9 years ago | (#13012890)

If you like Slackware, and if you've ever tried FreeBSD and seen the BSD "ports collection" system of installing stuff, then you'll probably love Gentoo. I used to be a die-hard Slackware user but use SuSE now since it's too easy and convenient and I've gotten lazy WRT keeping my Linux machines updated... SuSE's Yast Online Update takes all the work out of it.

Stick with Slackware (0, Offtopic)

everphilski (877346) | more than 9 years ago | (#13012896)

Slackware is simple, stable and functional. If you are happy with slackware I would stick with it. I definitely wouldn't go from Slackware to Gentoo. I tried Gentoo once on recommendation from a friend, it just didn't feel right. The simplicity of Slack has always meant more to me than the graphical installers or package management tools of the other distros.
-everphilski-

Re:I wouldn't know (3)

amorformosus (781869) | more than 9 years ago | (#13012906)

I've had it running as a webserver/nagios server for the past 3-4 months, first as Sarge was still in testing, and now as stable, and it has not failed me yet. The only time I've had to reboot or anything was when we moved the server to our new rack (not a debian issue). I've not run into any packaging problems, and as for security, it seems pretty solid.

I know it's an old discussion, but I suppose you should ask yourself what you want to run it as. As a workstation, I think sarge is a great step forward for debian; however I don't think it doesn't quite fit the needs of most workstations. But that's because it's strength is as a solid server, where updates are minimal and configuration doesn't necessarily mean a GUI.

I love debian for it's consistency and ease of configuration (once you get a feel for the way packages are configured in /etc).

I'd definitely say give it a go, if only to see the improvements from woody.

Re:I wouldn't know (3, Insightful)

pebs (654334) | more than 9 years ago | (#13012985)

I use slackware, myself, although I was thinking of giving Debian Sarge a try

Depends on what you're trying to achieve. If you are running a server, especially one that is exposed to the internet or a large number of users (e.g. web server), Debian stable is really great. Especially with the ability to setup automatic updates; you can set it up, and not have to really touch it for another 2-3 years.

If on the other hand you are using it for a desktop, development, or "tinkering" machine, Debian unstable or some other distro would probably be a better choice.

Re:I wouldn't know (3, Interesting)

RAMMS+EIN (578166) | more than 9 years ago | (#13012989)

I used Slack before I switched to Debian, and never looked back. I don't know your reasons for using Slackware, but for me it was that I like to be in control and not clutter my system with useless stuff. Debian allows you a lot of flexibility, but its package management system (which I honestly believe is the best in the world) makes everything a lot easier.

You can have a very basic installation for about 100 MB. I personally think that's already a bit heavy, but it's definitely better than a lot of other distros. From there, you can get almost everything you care to mention, just by runnig apt-get install package-name. Dependencies are all taken care of automatically. You can customize how many questions you are asked during installation, from no questions to lots of options (and you can always re-run the configuration questions later).

In terms of quality, you can hardly go wrong with Debian. Everything is tested and tested again before it goes into stable (which is why there are such long times between releases), but even the packages in unstable tend to work just fine. I'd say unstable is about as up to date as Slackware-current, so if that's what you like, Debian can give it to you too.

Upgrading from one version of Debian to another is as simple as setting the right apt-repository and running apt-get update && apt-get dist-upgrade.

I don't know what more to say. Just try it for yourself.

(And for those who think I'm a Debian zealot: it's worse than that. I use OpenBSD at home. ;-) )

Re:I wouldn't know (1)

freshman_a (136603) | more than 9 years ago | (#13013048)

I'm a long time Slack user (especially for servers) and every time I've tried another distro, I've always found myself switching back to Slackware. Nothing against Debian though. apt-get was nice but I've always been happy with swaret. I've also always been a big fan of Slack's rc files (probably due to me being a BSD fan). I've also had great luck with stability on Slack (2+ years uptime on one of my servers). I always found it fun to try something different every once in a while, but personally I would stay with Slack. As they say: If it ain't broke, don't fix it.

Just my 2 cents...

Re:I wouldn't know (0)

Anonymous Coward | more than 9 years ago | (#13013533)

"2+ years uptime on one of my servers"

I hope it is not an Internet-faced server!

Re:I wouldn't know (1)

poopdeville (841677) | more than 9 years ago | (#13013052)

I like Sarge, but I've never used Slack. I've used it for about a year now. apt-get really is a great bit of software. Packages are designed to install and configure themselves intelligently, if not optimally. As long as you're not a pansy about typing into the command line, everything just works. But you can still tweak/install from source if you'd like. The default installation is not as slim as I'd like -- it weighs in at about 350 MB if you don't select any packages other than those "required" by the system. You can trim it if you'd like.

Regardless of the reputation the community has on /., it's terrific. lists.debian.org is a great resource. Smart questions are usually answered by curteous developers/users within an hour.

Enough raving about debian. Having never tried Slack, I can't say how they compare, but I think it's clear I'd recommend Sarge.

Re:I wouldn't know (0)

Anonymous Coward | more than 9 years ago | (#13013793)

emerge awesomeness

information (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13012840)

you're all butt pirates.

Proof (4, Funny)

bondsbw (888959) | more than 9 years ago | (#13012841)

Debian initial security problems can be found in this earlier Slashdot posting.

PROOF that Slashdot submitters have access to previous stories!

Who knew, dupes really aren't necessary after all.

Re:Proof (0)

Anonymous Coward | more than 9 years ago | (#13012961)

now we will get stories with links like 'earlier Slashdot dupe'.

What I really want... (4, Insightful)

rbochan (827946) | more than 9 years ago | (#13013016)

... to know is:

Why the hell are slashdotters [slashdot.org] trusting news about Debian from friggen zdnet? And a blog on zdnet to boot!

I mean... c'mon... it's zdnet... with about as much credibility as The Star.

Zonk is making fun of us (0)

Anonymous Coward | more than 9 years ago | (#13014307)

I think Zonk is making fun of us.

Come on, even *I* noticed this article the first time.

Can somebody tell me . . . (0, Troll)

Anonymous Coward | more than 9 years ago | (#13012845)

Why is 'free' software so dependant on money?

I thought it was essentially an idea that worked simply because of the love of programming, rather than the need of money.

Or was I being unrealistic?

Re:Can somebody tell me . . . (4, Insightful)

Kookus (653170) | more than 9 years ago | (#13012894)

Free software is free for you to use, not free to develope.
Software engineers need to put food on the table, so they have to get a real job when there isn't any corporate sponsorship. So now after you take out the time from their busy schedules to survive, there's not a whole lot left for a life and helping develope your free software.
Now instead of a stream-lined process where coders can churn out results, you're left with only a little bit of support from those people, sometimes they get burnt out and take a break, other times they lose all their free time and stop supporting the software. That's when you see things bog down and the need to get more people on board and all the other problems that cascade from the lack of free time.

Re:Can somebody tell me . . . (1)

Captain Feathersword (896786) | more than 9 years ago | (#13013375)

I've always wondered who these people were... I know that Linus was in college when he developed Linux, and that RMS actually was receiving money for sales of emacs when we first started... but who are the rest of the free software developers? Are they all academics? Corporate wageslaves like the rest of us whose company pays them to develop software and release it to the world? Are they mostly retirees? Independently wealthy? I'd love to contribute back to the OSS world, but other than a bug fix here and there, I've never been able to find the time (what with the mandatory 70 hour workweeks and all...). I've always wondered how they do it... do these people ever sleep?

The easy part (1)

The_Wilschon (782534) | more than 9 years ago | (#13014172)

Well, first off, they find employers who don't mandate 70 hour workweeks....

Personally, I think any employer who demands a 70 hour workweek of programmers, but is not a programmer working 70 hour weeks him/herself ought to be taken out to the county courthouse and strung up.

Re:Can somebody tell me . . . (1)

hswerdfe (569925) | more than 9 years ago | (#13014292)

sigh.
Free software is free for you to use, not free to develope.

you are confusing free as in $0, with free as in freedom.
According to the Free Software Foundation, this includes:
* freedom to run the program
* freedom to study and modify the program
* freedom to copy the program
* freedom to improve the program, and release your improvements to the public

so Free software is free(dom) to develop as well as use, but yes programers do have to eat.

ohh is it lunch time already?

Re:Can somebody tell me . . . (0)

Anonymous Coward | more than 9 years ago | (#13013605)

TROLL ALERT

Do Not Feed The TROLL

Free Software (1)

MarkByers (770551) | more than 9 years ago | (#13013882)

When people talk of Free Software, at least on Slashdot and other technical communities, they are usually referring to the freedom to do whatever you want with the code. They are not usually referring to the price.

Free speech, not free beer.

how about addressing users (0, Troll)

rockytriton (896444) | more than 9 years ago | (#13012860)

now they just need to address the issue that nobody uses debian.

Re:how about addressing users (1)

ooze (307871) | more than 9 years ago | (#13012943)

Well, my DSL-Router/Firewall/Printerserver/Fileserver is running Debian. And doing so for 2 years without much trouble/attention and barely a reboot. I don't even have a keyboard or monitor attached to it. And it's running the "unstable" branch.

Granted, Debian is not really for the Desktop weenies. But my desktop is OS X. So no problem with that.

Factual Errors (-1, Troll)

Anonymous Coward | more than 9 years ago | (#13012863)

There is no way this article can be correct. Linux simply does not have security problems; all the slashbots told me so.

Debian runs on many platforms (-1, Offtopic)

Krankheit (830769) | more than 9 years ago | (#13012869)

I previously ran Slackware for many years on my desktop and laptop machines, with OpenBSD, FreeBSD and NetBSD for firewall, servers. Now the desktop machines run Debian, which has saved me alot of time with the excellent package management. I may replace Slackware with Debian on the laptops. While running well on my x86 desktops, Debian has also installed without a hitch on my 1.25 GHz Mac Mini, with nothing more than a hassle-free kernel recompile to get sound working. I have become much productive. I don't if the increased productivity is the package management features, or that I switch from 28.8 kbps Dial-Up to cable. I hope Debian fixes their security problems so I can look forward to the next release.

Re:Debian runs on many platforms (1)

alc6379 (832389) | more than 9 years ago | (#13014264)

Why is this modded OT? Someone's on crack around here.

Security Problems are good (1, Funny)

Anonymous Coward | more than 9 years ago | (#13012882)

Lick me if i'm wrong- but aren't security problems good? I mean, I thought a completely insecure OS led to a monopoly and you becoming the richest man in the world.....
Why are they trying to fix the security issues? don't they know it is bad business?
All you nipple are belong to us

Re:Security Problems are good (1)

team99parody (880782) | more than 9 years ago | (#13013408)

I know people are modding you funny; but there is some important truth to what you said.

I've long said that Microsoft's greatest strength as a business is that they were the only software company who best calculated and acted on these risk/reward tradeoffs.

In all businesses there is a tradeoff between Security and other business needs including Time-to-Market and Ease-of-Use. Note that this problem isn't unique to the software industry. Credit card companies have the same challenges (ease of stealing a credit card vs ease of using a credit card), and also go to great lenghts to strike a balance that provides the best user experience.

But in this particular case, I'd say security problems in debian/unstable are good; but security problems in debian/stable are very very bad, and I'm glad to see they're being addressed.

GOOD (1)

HawkingMattress (588824) | more than 9 years ago | (#13012909)

Now let's hope they won't stop there, and make a revamp of the whole Debian process.
Debian needs to react to what's happening around it, and into it. Because we NEED Debian, much more than any other distro.
If Debian happened to die, what choices would we have ? commercial distros, or distros based on commercial ones. That would suck big time. I don't even use Linux on the destop personally, I mostly use it at work on servers now. But i know i sleep better at night knowing that a thing such as Debian exists. It makes the world a better place.

Re:GOOD (1)

HawkingMattress (588824) | more than 9 years ago | (#13012990)

Huh yep I forgot gentoo and probably lots of others :) Sorry about that. But those distros don't play in the same park, they're more like niche distros.

Re:GOOD (1)

SaDan (81097) | more than 9 years ago | (#13013424)

Debian is niche, as far as I can tell. The only reason to run Debian is if you believe in the politics behind the distro.

Aside from that, it's just another Linux distro, and one that's having problems lately with security and administration behind the distro. Not good.

Re:GOOD (1)

turbidostato (878842) | more than 9 years ago | (#13013651)

"The only reason to run Debian is if you believe in the politics behind the distro"

Not at all. I do run extensively Debian both on servers and desktops, and I do it because Debian is, as far as my knowledge reaches, technically-wise the best distribution over there.

Re:GOOD (4, Interesting)

Phillup (317168) | more than 9 years ago | (#13013683)

The only reason to run Debian is if you believe in the politics behind the distro.

I could give a rat's ass about the politics of the distro.

Or the cost.

I run Debian because it is the easiest distro I've ever found when it comes time to update/upgrade.

I simply can't afford (nor can my customers) to take a machine to bare metal for an upgrade. And while most distros really try to make the upgrade from one version to the next easy... most are not "production quality" as far as I"m concerned.

If you want to deploy systems with a long service life, Debian is a fine choice.

Re:GOOD (1)

snorklewacker (836663) | more than 9 years ago | (#13014561)

I can't stand the politics of Debian. I use it because of apt-get dist-upgrade. I wait in vain for a better package manager that has a better version migration scheme, as well as having multiple mirrored online repositories (fedora doesn't count because it has nothing like dist-upgrade and doesn't plan to begin such a scheme til FC5 or later). A gentoo with an emphasis on stability and official support for portage overlays might be a good competitor. But I need a real distribution to run right now, not a theoretical one.

Re:GOOD (1)

kink (597413) | more than 9 years ago | (#13013330)

If you think that way, please get involved! There are lots of ways you can help, the most obvious being reporting bugs and submitting patches for open problems. Debian is kept alive by people who care about it actually contribute.

The problem with Debian (4, Interesting)

Rosco P. Coltrane (209368) | more than 9 years ago | (#13012911)

is that they make you jump through many loops before allowing you to help them. I have several pieces of software that I wanted to contribute to Debian, so I figured I might as well be the maintainer for them. I gave up eventually, because it's just too damn bothersome, and another Debian maintainer took my .debs over for me.

IMHO, that's why they have a shortage of manpower, because it's just not easy enough for people to jump in and help.

Re:The problem with Debian (2, Insightful)

xmgl (641825) | more than 9 years ago | (#13012967)

Good point. I'd agree but don't forget the fact that it is also through those rigorous processes that Debian maintains its reputation for quality.

Re:The problem with Debian (1)

Rosco P. Coltrane (209368) | more than 9 years ago | (#13012996)

I agree, but what's the point of quality packages if the packages are so far behind? There needs to be a balance between trust and ease of contribution, so that stable packages are reasonably current. As it is now, they're obviously asking too much from potential helpers.

Re:The problem with Debian (1)

stevey (64018) | more than 9 years ago | (#13013170)

No offense, but right now the last thing Debian needs is a new Developer who only wishes to look after one or two pet packages and do nothing else.

If somebody else is now maintaining the packages you mention - is anything lost? The packages are available to Debian users, and somebody else is saving you from doing work.

Stable packages are not supposed to be current, but Unstable is. Still if you know Debian sufficiently well to know about creating and maintaining packages you'd know this already, right?

No offense (0)

Anonymous Coward | more than 9 years ago | (#13013447)

None taken, but I tend to disagree. There is nothing wrong with someone 'only' caring about one or a few 'pet' packages; if done well, this is imo exactly what debian is about.

Re:No offense (1)

krmt (91422) | more than 9 years ago | (#13014052)

That's entirely the problem. Debian has a zillion packages but has trouble releasing due to everyone's pet project, be it a pet architecture or a pet library or whatever. Not enough people want to put together a coherent distribution, they just want their little feature taken care of. Witness the number of people working on core pieces of Debian like apt, dpkg, aptitude, etc in comparison to the total number of Debian developers.

Re:The problem with Debian (3, Insightful)

RAMMS+EIN (578166) | more than 9 years ago | (#13013004)

Agreed. this is a problem with any large organization, and Debian is definitely one of them. These procedures exist to ensure quality, and they appear to work, but they also slow down progress. It's a double edged sword.

Re:The problem with Debian (5, Informative)

Phleg (523632) | more than 9 years ago | (#13013161)

Debian has no such shortage of manpower. Doing a quick wc -l over the list of Debian developers gets 1,671 people. And that's just the development team, which doesn't include the list of Debian System Administrators (which, admittedly, is much shorter). Debian has enough people for what it does, and the list of contributors continues to grow.

The problem it was experiencing, however, was a shortage of people assigned to the security team, which has apparently now been resolved.

Re:The problem with Debian (0)

Anonymous Coward | more than 9 years ago | (#13014304)

There can also be problems with too many people. Laggards can hold up the release schedule for everybody, for example. Being a volunteer organization doesn't imply that Debian developers can't be held accountable for their performance. Although it might cause some short term pain, I wouldn't mind seeing a bit of creative destruction in this area.

Slackware -- Arch (0)

Anonymous Coward | more than 9 years ago | (#13012935)

I was a Slackware user for some time too, but I like to stay current (i know.... "-current") but i didnt want to risk breaking my system. Debian is takes a long time to deem a package stable.

Arch uses a "rolling release" schedule so use the builtin package manager to upgrade and bam! your current. The package manager even resolves dependencies!

Re:Slackware -- Arch (2, Funny)

Rosco P. Coltrane (209368) | more than 9 years ago | (#13012979)

Arch uses a "rolling release" schedule so use the builtin package manager to upgrade and bam! your current. The package manager even resolves dependencies!

Holy crap, I didn't realize Slack had become so modern! And just to think that I'm stuck with dpkg and apt, that can't resolve dependencies and automatically upgrade your box...

We need a Linux Security Information aggregator (3, Interesting)

James Youngman (3732) | more than 9 years ago | (#13012941)

One of the problems is that, obviously, exploits can be known by The Bad Guys but not the software maintenance community (i.e. upstream maintainer, Debian package maintainer, Debian security folk). That's obviously bad.

A less obvious but perhaps more frequent problem is where security problems are discovered and announced in upstream packages, but the information doesn't flow down to all the distributions. There's no formalised or automated mechanism by which distribution security teams get alerted to relevant upstream security fixes. You might get duscussion of the problem on a mailing list which is specific to the upstream package, but the Debian Security team can't be expected to subscribe to all those lists.

Similarly though, you can't rely on upstream maintainers reliably notifying 19 (or however many) distribution security contacts for each security-relevant release. In the specific case of Debian, this sort of thing is the Debian package maitainer's responsibility. However, there are thousands of Debian packages; some of the maintainers are very responsive and some are less so. Even the responsive ones go on vacation sometimes.

I'm an upstream maintainer. I'm pretty sure that for some of the distrubutions, nobody has subscribed to the mailing list where security problems would be announced (bug-whatever@gnu.org). In this particular exmaple, Debian isn't one of them - the Debian maintainer in this specific case is very active.

However, having a single point where Linux-relevant security announcements could go would be useful. BUGTRAQ simply isn't it (partly because its mailing list software is somewhat broken, also because of the noise level due to broken out-of-office response programs, and because solving this problem isn't the goal of that mailing list). That way, at least the Debian Security team - among others - could count on being notified reliably about known problems.

Of course then you still have a workload for the security team of analysing problems, deciding on responses and preparing NMUs. That may indeed require more people - I'm not claiming that an aggregated feed of upstream security concerns and fixes solves the whole problem.

Re:We need a Linux Security Information aggregator (1)

kink (597413) | more than 9 years ago | (#13013377)

What about the vendor-sec list, to which to my knowledge all the major distributions are subscribed?

Re:We need a Linux Security Information aggregator (0)

Anonymous Coward | more than 9 years ago | (#13013990)

What's wrong with linuxsecurity.com?

Re:We need a Linux Security Information aggregator (0)

Anonymous Coward | more than 9 years ago | (#13014359)

Or even SecurityFocus.com?

RPM and Deb (4, Interesting)

Anonymous Coward | more than 9 years ago | (#13012959)

I think one of the main problems for debian stems from the use of .debs. Sure, they are still superior in a fews ways to rpms, but rpm has by and large caught up since rpm v3 and certainly rpm v4,

The baroque complexity of the debian/ subdirectory and build processes compared to an rpm .spec file is really discouraging for developers wanting to package their stuff up for debian.

Similarly, while apt trailblazed decent dependency handling, the latest versions of yum are catching up and, extremely importantly, it is far simpler to set up a yum repository than an apt one - so third party developers can very simply set up a website with a small repository and manage it themselves.

There'd be initial massive outcry I guess, but if Debian were to just adopt rpm, life would become much simpler. /usr/src/debian/RPMS ...

Re:RPM and Deb (4, Interesting)

RAMMS+EIN (578166) | more than 9 years ago | (#13013138)

Yeah, and you had to post that as an AC just to prevent the Debian zealots (like me) from finding out your identity. :-(

I've always hated the RPM-based distros for getting more successful using an inferior technology and giving many people the impression that package management on Linux was hard, while Debian made everything easy with apt-get.

However, the times have changed. apt-get works for RPMs now, and automated package managers are finally working for RPM-based distros. Maybe the time has come for a standard in packaging land, and maybe that standard can indeed be RPM.

However, notice the many maybes. Having a standard is only helpful if every distro actually uses the same packages, and I'm not very sure that is going to happen. Without that, software still has to be packaged separately for each distribution, and there is little use for standardizing the format. In that case, the best course for Debian is to stick to their own format; if it ain't broken, don't fix it.

Re:RPM and Deb (2, Informative)

Anonymous Coward | more than 9 years ago | (#13013476)

Having a standard is only helpful if every distro actually uses the same packages, and I'm not very sure that is going to happen. Without that, software still has to be packaged separately for each distribution

A few conditionals in a single .spec file are often all that is needed for RedHat-Fedora-CentOS/Mandriva/SuSE . Very little effort indeed if you're depending on LSB rather than using RedHatisms.

Yes, you might still need to build different binary RPMs for the different RPM distros, but they can all come from the same source RPM.

An article here http://www.novell.com/coolsolutions/feature/11256. html [novell.com] goes into some depth with further references.

Re:RPM and Deb (1)

bfields (66644) | more than 9 years ago | (#13013616)

Having a standard is only helpful if every distro actually uses the same packages

There are also advantages just to sharing the same packaging system--sharing of bug fixes for rpm itself, ability to easily transfer rpm-building or -using skills from one distribution to another, etc.

Re:RPM and Deb (0)

Anonymous Coward | more than 9 years ago | (#13013258)

I haven't used RedHat in years... But does what your saying imply that I could do a:

yum update; yum dist-upgrade

and be upgraded from FC3 to FC4?

-Curious long-time Debian user

Re:RPM and Deb (0)

Anonymous Coward | more than 9 years ago | (#13013294)

Redhat doesn't officially recommend it, they still say you should boot from the install CD and select an "upgrade install" but that has worked for me from FC2->FC3->FC4. The reason it's not recommended is that unlike Debian, the occasional live upgrade problems still aren't treated as official bugs as such. But technologically, yum has been capable of it for some time, it just needs a cultural/policy change for people to start registering package-upgrade problems as bugs in the Fedora bugzilla.

Re:RPM and Deb (3, Interesting)

dozer (30790) | more than 9 years ago | (#13013437)

I agree with half of what you say. I've made both RPMs and debs and I find that RPMs are the clear winner. They are faster to install, easier to package, and smaller. The "extra flexibility" that dpkg gives you is not only unnecessary, it's a liability.

Besides, who wants their apt-get upgrade to stop every 2 minutes and ask inane questions?? Debconf sucks! Even with priority=high it acts like a stupid nieghbor that always wants to chat. RPM gets this right: install sensible defaults and let the user change stuff using a sensible interface AFTER the package is installed.

Finally, it's looking like development on apt/dpkg is largely stalled out. At least, except for package signatures, I haven't seen a user-visible change since, oh, 2000 or so.

Yum, on the other hand... COULD IT BE ANY SLOWER?? "apt-get install nmap" takes all of 4 seconds. "yum install nmap" on FC4 takes over 30 seconds as it draws endless progress bars. I have no idea why it takes so long. I like Yum's simple config files, but it's moot until they fix its speed issue.

Connectiva got it right. It's a shame rpm-over-apt hasn't caught on.

Re:RPM and Deb (0)

Anonymous Coward | more than 9 years ago | (#13014283)

What speed is your computer? I ask because yum is written in Python. On a slow machine where the operation is CPU-bound, yum is noticeably slower than apt. On my newest machines (2.4 and 3 GHz...), there isn't much difference I can see, I think because it has become I/O-bound and the python speed hit matters little.

One other thing to note is that apt separates the repository-check (update) and install (upgrade/dist-upgrade) steps, yum always does a repository check followed by install. So it might seem slower because of that, but it is doing something different.

Re:RPM and Deb (2, Interesting)

runswithd6s (65165) | more than 9 years ago | (#13014183)

I think one thing people misunderstand about packages is not necessarily the format of the package itself (which is certainly important), but the robustness of the tools with which you can operate on those packages. Part of your comment is targeted in that direction, and I agree. Tools are converging in features. Improvements are being made across the board on both camps. dpkg and apt, for example, have some interesting enhancements on deck. Just check out the dpkg ChangeLog [debian.org] if you're looking for examples of changes already made.

Regarding format, though, I still believe DEB's win for flexibility, accessibility, and a simple, straight-forward design. Baroque is hardly the word to describe the "./debian" maintainer scripts directory. What does one find in "./debian"? control, changelog, copyright, README.Debian, rules (the build Makefile), and optionally the prerm, postrm, preinst, postinst scripts. Whatever else a maintainer puts in that directory that is useful for the build process is entirely subjective to the helper tools they might use (like debhelper).

DEB's are simply two tarballs archived together, data.tar.gz, which contains the package files themselves, and control.tar.gz, which contains the maintainer scripts. If you did not have dpkg installed on your system, but wished to extract the files and information from a DEB, you would simply use the tools ar and tar. To do the same with an RPM is to open up a hex editor to find the end of the RPM header, then use dd to cut it off and output the remaining tarball. (RPM format [rpm.org] ) How many people know or want to know how to do that?

The other flexiblity that DEB's have that RPM's don't (didn't?) is that maintainer scripts can be written in any language the maintainer wishes, as long as the interpretor is installed at the time the script runs. If you're maintaining a Perl package, it's reasonable to assume that Perl can be installed as a (pre-)dependency and used to run the maintainer scripts.

Debconf, for example, is one of those optional helper tools the maintainer is encouraged to use when questions must be asked of the user/administrator at installation time. Gone are the days when DEB's could not be installed unattended. Using Debconf allows the maintainer to provide those questions, and allows the user to view them using one of multiple interfaces, or to ignore them completely. Additionally, po-debconf makes it trivial to add multilingual support for those questions.

There is plenty of documentation, utilities, and helper tools to create a Debian package, and on-line resources such as IRC, email lists, and forums. An interesting thread to read dates back from 1996, titled "Why the .deb format? [debian.org] ". Also, take a gander at this FAQ [debian.org] .

Really, comparing RPM's to DEB's is like comparing apples to oranges. RPM maintainers may baulk at the "debian/" directory and maintainer scripts, but I personally baulk at having to learn yet another spec file format for RPM's and being restricted to using librpm or a hex editor to access the data contained within the package.

rather than zdnet fluff... (1, Informative)

Anonymous Coward | more than 9 years ago | (#13012963)

I found Branden's Debian Project Leader Report [debian.org] to be more informative. Although, at least zdnet had the courtesy to link to it in their so-called article.

Xandros (1)

airjrdn (681898) | more than 9 years ago | (#13012965)

Since it's based on Debian, is Xandros also affected by the security issues?

Re:Xandros (1)

HawkingMattress (588824) | more than 9 years ago | (#13013079)

Bah, IIRC Xandros doesn't update it's distro, at all.
They just release a version and you have to wait for the next release (and buy it) for bug fixes (and of course the release will bring new bugs since they'll add features). I don't know if they have the same policy concerning security fixes, but i wouldn't trust them at all...

Re:Xandros (1)

Garwulf (708651) | more than 9 years ago | (#13013254)

Um, actually Xandros recently released Service Pack 2 for Xandros Desktop 3, as well as the kernel update to 2.6.11, so they are updating.

new leadership in a good track ... (1)

cytopia (891088) | more than 9 years ago | (#13012969)

looks like the new leadership does some good moves

let's see how it develops...

In related news... (0)

Anonymous Coward | more than 9 years ago | (#13012974)

In related news, Debian's security team announced late last night that their sendmail package is no longer vulnerable to the Robert T. Morris Worm.

Professor Morris had this to say: "You're kidding, right?"

A Debian user, who wished to remain anonymous, was glad to hear that Debian was taking a pro-active approach to package updates. "I've been using Debian for a year now, and I've got to say that it beats my old Windows 3.1 box hands down. It's good to hear that they're taking a pro-active approach to security and package updates."

Although we attempted to contact the Debian team for comment, their response was not available in time for the publishing of this article. A reply is expected sometime before March 2008.

Related Articles:
About the Morris Worm:
http://en.wikipedia.org/wiki/Morris_worm [wikipedia.org]

Problems plague Debian updates:
http://lists.debian.org/debian-user/2000/07/msg030 06.html [debian.org]

History of Windows:
http://www.computerhope.com/history/windows.htm [computerhope.com]

Real History of Windows:
http://www.imdb.com/title/tt0168122/ [imdb.com]

(Beware TPB)

Thanks... (3, Insightful)

rpsoucy (93944) | more than 9 years ago | (#13013084)

Debian was my first GNU/Linux distribution. 1.3 was the stable at the time, but I ran the 2.0 unstable canidate. For a while I've used others... but I always come back to Debian. The Debian Security Team is a big part of the reason. The comunity nature of Debian, and the history of Debian represent a real important part of the Free Software comunity.

Security is often a thankless job. People only care once something goes wrong. They don't see all the work it takes to coordinate timely security responce. It should also be noted that Debian takes a proactive approach to security with the Debian Security Audit Team.

Debian lost a lot of its reputation with the delays for the current stable release. I think the future of Debian, if its to keep its reputation, will be to move to a standard release cycle of once every 2 years. Sure the Debian releases are few and far between compared to other distributions, but Debian is about software Freedom, not bleading edge technology. It provides a solid and secure OS, and most system administrators don't want to roll out a new version of an OS every 2 years, in fact, most would rather keep running an OS as long as there are security updates.

There are certainly a lot of challanges for Debian right now, hopefully the "Security Issue" goes away with this change.

Re:Thanks... (1)

yack0 (2832) | more than 9 years ago | (#13013178)

Debian lost a lot of its reputation with the delays for the current stable release.

How's that possible? Debian's reputation revolves around the slow release cycle. Ask anyone about Debian and they'll likely include 'slow release on stable' as part of their comments, whether they like Debian or not.

Re:Thanks... (1)

rpsoucy (93944) | more than 9 years ago | (#13013279)

There is long, and then there is long. People were expecting it to come out sooner, and it was met with delay after delay. Long release cycles are fine if you tell people about them, but when people expect that you'll be releaing a new version next year and it turns into 3 years later... well... Needless to say, for a while a lot of Debian users moved to more current alternatives.

People want predictability.

Re:Thanks... (1)

SaDan (81097) | more than 9 years ago | (#13013469)

I absolutely agree.

Re:Thanks... (2, Insightful)

stephenpeters (576955) | more than 9 years ago | (#13013539)

Debian lost a lot of its reputation with the delays for the current stable release

I disagree. I run servers for commercial clients. A large number of these prefer to run some type of free software as a server platform these days. Debian is an attractive platform because of the care that goes into it. The slow release cycle means that time can be spent on thorough, careful software engineering. Distributions with faster release cycles are rarely as reliable as Debian over the longer term. I and my clients are used to spending time setting up a machine, and then leaving it in production for 4-5 years with minimal maintenance. Using Debian I have found that power and hardware failures are the main cause of unplanned system downtime.

Debian is about software Freedom, not bleading edge technology.

If you do want to use some of the newer packages from testing or unstable try using apt pinning on a stable system. Simply put apt pinning allows you to mix and match selected packages from stable testing and unstable together. A simple howto can be found here [sbih.org]

There are certainly a lot of challanges for Debian right now

There will always be challenges for Debian. The Debian leaders seem to do just that, lead. Perhaps that is why they remain such a well regarded distribution. Do not give up on Debian because of a few negative news stories. Debian has worked well for me for years. If you stick with it it should do the same for you.

Steve

Irrelevant? (-1)

caluml (551744) | more than 9 years ago | (#13013353)

Debian are rapidly becoming irrelevant, it seems.
/got mod points, burn me.

No burn, a reply (2, Informative)

rjethmal (619327) | more than 9 years ago | (#13013491)

Debian is far from becoming irrelevant. Where did Knoppix start? Xandros? Ubuntu?

These and many other distros can be seen, under the right light, as branches on a Debian trunk. I feel fairly confident in saying that no other distro could provide a sufficiently robust and broad base upon which to build.

Ubuntu and company can do as they please. Some may, eventually, cease to be recognizable as Debian-based, but that will take a very long while.

In the meantime, Debian will continue to be an example of how large-scale projects should be run. After all, Debian has been around a long time; and in that time they have managed to build up what is arguably the largest repository of software the community has. They've also managed to support a considerable number of architectures and they've done it all quite well IMHO.

Re:No burn, a reply (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#13013817)

You were doing well until you added "IMHO", which can be roughly translated into "I am an arrogant bastard"
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?