Forgot your password?
typodupeerror
Security Debian

Debian Addresses Security Problems 118

Posted by Zonk
from the quick-turnaround dept.
An anonymous reader writes "After suffering manpower shortages and other issues, Debian says it has finally addressed concerns that it was falling behind on security. Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures. It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said. Debian initial security problems can be found in this earlier Slashdot posting."
This discussion has been archived. No new comments can be posted.

Debian Addresses Security Problems

Comments Filter:
  • 1000 developers? (Score:2, Interesting)

    by datadriven (699893)
    I thought debian had over 1000 developers. Don't any of them do security?
    • by RAMMS+EIN (578166) on Friday July 08, 2005 @09:35AM (#13012892) Homepage Journal
      Being able to write some software and produce packages is very different from doing security. Security is something that many, even in the developer community, don't understand, or don't understand completely. Having someone who isn't completely security savvy declare your program secure does not help you very much.

      Plus, Debian likely requires a lot of security people compared to other distro's, because 1) they provide very many packages (I can't say for sure more than any other, but it's likely), and 2) they don't only fix things by upgrading packages in unstable to the latest version, but also backport fixes to the version in stable.

      And in the meantime, the rest of the organization needs not to be forgotten. New packages are submitted all the time, people do like to see a new release within their lifetimes, questions have to be answered, (non-security) bugs need to be fixed, etc. etc. etc. Debian is just a huge project, and I'm impressed with how well it works.
      • What makes you think those guys understand security?

        I've seen more than one distro provided security fix be put out for non-existant security issues, that were very obviously non-existant (eg, discussed on the mailing lists and proven to be non-exploitable).

        Debian isn't the only group that fixed a non-existant bug (for Wine). Gentoo did it too, for Mozilla. There are probably more examples: these are ones I came across randomly without looking for them.

    • Re:1000 developers? (Score:5, Informative)

      by smoking2000 (611012) <linuxminded@WELTYgmail.com minus author> on Friday July 08, 2005 @09:48AM (#13012981)
      Of those many developers only 5 of them where in the Security team. And of those 5 only one (Brandon) has remained active.

      Due to the nature of security issues, the team had tough requirements for new members, which kept fresh blood to enter the team.

      Now that this problem got the attention it unfortunatly needed, new members have stepped to the plate to strengthen the security team.

      You can read more about the handling of this situation in Brandon's Project Leader Report [debian.org]

      • Re:1000 developers? (Score:3, Informative)

        by stevey (64018)

        Branden is not a member of the Debian Security Team. (and his name is spelt with an 'e' not an 'o').

        The current members are listed on the Debian Organizational chart [debian.org] - albeit some are less active than others.

        • You are correct, I had mistaken Branden for Joey. Two names I see fly by very frequently.

          I recalled an email [debian.org] to debian-devel about the security issue, where it was stated that only one member was left active.
          Only did I recall the name incorrectly, my apologies for the confusion I may have caused.
          • Re:1000 developers? (Score:2, Informative)

            by stevey (64018)

            Until recently Joey was the only active member.

            In the past couple of weeks Michael Stone has become active again, which has helped.

  • Good. (Score:1, Funny)

    by Musteval (817324)
    Because before, Debian was in serious danger of falling behind Windows on the security front.
  • Proof (Score:4, Funny)

    by bondsbw (888959) on Friday July 08, 2005 @09:29AM (#13012841)
    Debian initial security problems can be found in this earlier Slashdot posting.

    PROOF that Slashdot submitters have access to previous stories!

    Who knew, dupes really aren't necessary after all.

  • by Anonymous Coward
    Lick me if i'm wrong- but aren't security problems good? I mean, I thought a completely insecure OS led to a monopoly and you becoming the richest man in the world.....
    Why are they trying to fix the security issues? don't they know it is bad business?
    All you nipple are belong to us
    • I know people are modding you funny; but there is some important truth to what you said.

      I've long said that Microsoft's greatest strength as a business is that they were the only software company who best calculated and acted on these risk/reward tradeoffs.

      In all businesses there is a tradeoff between Security and other business needs including Time-to-Market and Ease-of-Use. Note that this problem isn't unique to the software industry. Credit card companies have the same challenges (ease of stealin

  • Now let's hope they won't stop there, and make a revamp of the whole Debian process.
    Debian needs to react to what's happening around it, and into it. Because we NEED Debian, much more than any other distro.
    If Debian happened to die, what choices would we have ? commercial distros, or distros based on commercial ones. That would suck big time. I don't even use Linux on the destop personally, I mostly use it at work on servers now. But i know i sleep better at night knowing that a thing such as Debian exis
    • Huh yep I forgot gentoo and probably lots of others :) Sorry about that. But those distros don't play in the same park, they're more like niche distros.
      • by SaDan (81097)
        Debian is niche, as far as I can tell. The only reason to run Debian is if you believe in the politics behind the distro.

        Aside from that, it's just another Linux distro, and one that's having problems lately with security and administration behind the distro. Not good.
        • "The only reason to run Debian is if you believe in the politics behind the distro"

          Not at all. I do run extensively Debian both on servers and desktops, and I do it because Debian is, as far as my knowledge reaches, technically-wise the best distribution over there.
        • Re:GOOD (Score:5, Interesting)

          by Phillup (317168) on Friday July 08, 2005 @11:17AM (#13013683)
          The only reason to run Debian is if you believe in the politics behind the distro.

          I could give a rat's ass about the politics of the distro.

          Or the cost.

          I run Debian because it is the easiest distro I've ever found when it comes time to update/upgrade.

          I simply can't afford (nor can my customers) to take a machine to bare metal for an upgrade. And while most distros really try to make the upgrade from one version to the next easy... most are not "production quality" as far as I"m concerned.

          If you want to deploy systems with a long service life, Debian is a fine choice.
        • I can't stand the politics of Debian. I use it because of apt-get dist-upgrade. I wait in vain for a better package manager that has a better version migration scheme, as well as having multiple mirrored online repositories (fedora doesn't count because it has nothing like dist-upgrade and doesn't plan to begin such a scheme til FC5 or later). A gentoo with an emphasis on stability and official support for portage overlays might be a good competitor. But I need a real distribution to run right now, not
    • by kink (597413) *
      If you think that way, please get involved! There are lots of ways you can help, the most obvious being reporting bugs and submitting patches for open problems. Debian is kept alive by people who care about it actually contribute.
    • If Debian happened to die, what choices would we have ?

      It's talk like this that makes me nervous. WHAT, besides the install program and the apt-system, is so important about Debian that it and only it will do??? Did Debian suddenly do a hostile takeover of every single line of code in all of GNU, Unix, Solaris, Minix, and Linux combined? Will I still be able to read Emacs source code without Debian suing me? If anybody else uses KDE, will Debian sue them for copying the "look and feel"? Does Debian own pr

  • by Rosco P. Coltrane (209368) on Friday July 08, 2005 @09:37AM (#13012911)
    is that they make you jump through many loops before allowing you to help them. I have several pieces of software that I wanted to contribute to Debian, so I figured I might as well be the maintainer for them. I gave up eventually, because it's just too damn bothersome, and another Debian maintainer took my .debs over for me.

    IMHO, that's why they have a shortage of manpower, because it's just not easy enough for people to jump in and help.
    • by xmgl (641825)
      Good point. I'd agree but don't forget the fact that it is also through those rigorous processes that Debian maintains its reputation for quality.
      • I agree, but what's the point of quality packages if the packages are so far behind? There needs to be a balance between trust and ease of contribution, so that stable packages are reasonably current. As it is now, they're obviously asking too much from potential helpers.
        • No offense, but right now the last thing Debian needs is a new Developer who only wishes to look after one or two pet packages and do nothing else.

          If somebody else is now maintaining the packages you mention - is anything lost? The packages are available to Debian users, and somebody else is saving you from doing work.

          Stable packages are not supposed to be current, but Unstable is. Still if you know Debian sufficiently well to know about creating and maintaining packages you'd know this already, right?

    • by RAMMS+EIN (578166) on Friday July 08, 2005 @09:53AM (#13013004) Homepage Journal
      Agreed. this is a problem with any large organization, and Debian is definitely one of them. These procedures exist to ensure quality, and they appear to work, but they also slow down progress. It's a double edged sword.
    • by Phleg (523632) <stephen@touset. o r g> on Friday July 08, 2005 @10:14AM (#13013161)

      Debian has no such shortage of manpower. Doing a quick wc -l over the list of Debian developers gets 1,671 people. And that's just the development team, which doesn't include the list of Debian System Administrators (which, admittedly, is much shorter). Debian has enough people for what it does, and the list of contributors continues to grow.

      The problem it was experiencing, however, was a shortage of people assigned to the security team, which has apparently now been resolved.

  • One of the problems is that, obviously, exploits can be known by The Bad Guys but not the software maintenance community (i.e. upstream maintainer, Debian package maintainer, Debian security folk). That's obviously bad.

    A less obvious but perhaps more frequent problem is where security problems are discovered and announced in upstream packages, but the information doesn't flow down to all the distributions. There's no formalised or automated mechanism by which distribution security teams get alerted to relevant upstream security fixes. You might get duscussion of the problem on a mailing list which is specific to the upstream package, but the Debian Security team can't be expected to subscribe to all those lists.

    Similarly though, you can't rely on upstream maintainers reliably notifying 19 (or however many) distribution security contacts for each security-relevant release. In the specific case of Debian, this sort of thing is the Debian package maitainer's responsibility. However, there are thousands of Debian packages; some of the maintainers are very responsive and some are less so. Even the responsive ones go on vacation sometimes.

    I'm an upstream maintainer. I'm pretty sure that for some of the distrubutions, nobody has subscribed to the mailing list where security problems would be announced (bug-whatever@gnu.org). In this particular exmaple, Debian isn't one of them - the Debian maintainer in this specific case is very active.

    However, having a single point where Linux-relevant security announcements could go would be useful. BUGTRAQ simply isn't it (partly because its mailing list software is somewhat broken, also because of the noise level due to broken out-of-office response programs, and because solving this problem isn't the goal of that mailing list). That way, at least the Debian Security team - among others - could count on being notified reliably about known problems.

    Of course then you still have a workload for the security team of analysing problems, deciding on responses and preparing NMUs. That may indeed require more people - I'm not claiming that an aggregated feed of upstream security concerns and fixes solves the whole problem.

  • RPM and Deb (Score:4, Interesting)

    by Anonymous Coward on Friday July 08, 2005 @09:45AM (#13012959)
    I think one of the main problems for debian stems from the use of .debs. Sure, they are still superior in a fews ways to rpms, but rpm has by and large caught up since rpm v3 and certainly rpm v4,

    The baroque complexity of the debian/ subdirectory and build processes compared to an rpm .spec file is really discouraging for developers wanting to package their stuff up for debian.

    Similarly, while apt trailblazed decent dependency handling, the latest versions of yum are catching up and, extremely importantly, it is far simpler to set up a yum repository than an apt one - so third party developers can very simply set up a website with a small repository and manage it themselves.

    There'd be initial massive outcry I guess, but if Debian were to just adopt rpm, life would become much simpler. /usr/src/debian/RPMS ...

    • Re:RPM and Deb (Score:5, Interesting)

      by RAMMS+EIN (578166) on Friday July 08, 2005 @10:11AM (#13013138) Homepage Journal
      Yeah, and you had to post that as an AC just to prevent the Debian zealots (like me) from finding out your identity. :-(

      I've always hated the RPM-based distros for getting more successful using an inferior technology and giving many people the impression that package management on Linux was hard, while Debian made everything easy with apt-get.

      However, the times have changed. apt-get works for RPMs now, and automated package managers are finally working for RPM-based distros. Maybe the time has come for a standard in packaging land, and maybe that standard can indeed be RPM.

      However, notice the many maybes. Having a standard is only helpful if every distro actually uses the same packages, and I'm not very sure that is going to happen. Without that, software still has to be packaged separately for each distribution, and there is little use for standardizing the format. In that case, the best course for Debian is to stick to their own format; if it ain't broken, don't fix it.
      • Re:RPM and Deb (Score:2, Informative)

        by Anonymous Coward
        Having a standard is only helpful if every distro actually uses the same packages, and I'm not very sure that is going to happen. Without that, software still has to be packaged separately for each distribution

        A few conditionals in a single .spec file are often all that is needed for RedHat-Fedora-CentOS/Mandriva/SuSE . Very little effort indeed if you're depending on LSB rather than using RedHatisms.

        Yes, you might still need to build different binary RPMs for the different RPM distros, but they can all
      • Having a standard is only helpful if every distro actually uses the same packages

        There are also advantages just to sharing the same packaging system--sharing of bug fixes for rpm itself, ability to easily transfer rpm-building or -using skills from one distribution to another, etc.

    • Re:RPM and Deb (Score:4, Interesting)

      by dozer (30790) on Friday July 08, 2005 @10:49AM (#13013437)
      I agree with half of what you say. I've made both RPMs and debs and I find that RPMs are the clear winner. They are faster to install, easier to package, and smaller. The "extra flexibility" that dpkg gives you is not only unnecessary, it's a liability.

      Besides, who wants their apt-get upgrade to stop every 2 minutes and ask inane questions?? Debconf sucks! Even with priority=high it acts like a stupid nieghbor that always wants to chat. RPM gets this right: install sensible defaults and let the user change stuff using a sensible interface AFTER the package is installed.

      Finally, it's looking like development on apt/dpkg is largely stalled out. At least, except for package signatures, I haven't seen a user-visible change since, oh, 2000 or so.

      Yum, on the other hand... COULD IT BE ANY SLOWER?? "apt-get install nmap" takes all of 4 seconds. "yum install nmap" on FC4 takes over 30 seconds as it draws endless progress bars. I have no idea why it takes so long. I like Yum's simple config files, but it's moot until they fix its speed issue.

      Connectiva got it right. It's a shame rpm-over-apt hasn't caught on.
      • The biggest reason that APT for RPM hasn't caught on is it's complete ignorance of bi-arch systems. Using apt-rpm on something like x86_64 is basically impossible.
      • Finally, it's looking like development on apt/dpkg is largely stalled out. At least, except for package signatures, I haven't seen a user-visible change since, oh, 2000 or so.

        How is this bad? It's retaining a consistent interface for people to build other tools and scripts upon.

        The one thing I'd really like to see in apt, which probably belongs more with dpkg (which apt uses) than anything else, is proper tracking of when packages are installed and removed. There have been several occasions w

      • Re:RPM and Deb (Score:1, Informative)

        by Anonymous Coward
        maybe you should do,

        dpkg-reconfigure debconf

        and select "Noninteractive". No more questions, ever.
    • Re:RPM and Deb (Score:3, Interesting)

      by runswithd6s (65165)
      I think one thing people misunderstand about packages is not necessarily the format of the package itself (which is certainly important), but the robustness of the tools with which you can operate on those packages. Part of your comment is targeted in that direction, and I agree. Tools are converging in features. Improvements are being made across the board on both camps. dpkg and apt, for example, have some interesting enhancements on deck. Just check out the dpkg ChangeLog [debian.org] if you're looking for examp
      • To do the same with an RPM is to open up a hex editor to find the end of the RPM header, then use dd to cut it off and output the remaining tarball. (RPM format) How many people know or want to know how to do that?

        Actually, rpm2cpio and then just use cpio.
    • Re:RPM and Deb (Score:3, Interesting)

      by myowntrueself (607117)
      RPM is superior to deb in one important way that saved my ass once.

      I had managed to delete all of the symlinks under /etc Don't ask how, I just did, ok?

      *Fortunately* the RPM database contained all of the information I needed to reconstruct the symlinks which were created by the packages.

      I work with debian systems, so it occurred to me to see how I would achieve the same success on debian systems.

      So far as I can tell, symlinks are not listed in any debian 'database' on the system where the package is ins
  • by Anonymous Coward
    I found Branden's Debian Project Leader Report [debian.org] to be more informative. Although, at least zdnet had the courtesy to link to it in their so-called article.
  • Since it's based on Debian, is Xandros also affected by the security issues?
    • Bah, IIRC Xandros doesn't update it's distro, at all.
      They just release a version and you have to wait for the next release (and buy it) for bug fixes (and of course the release will bring new bugs since they'll add features). I don't know if they have the same policy concerning security fixes, but i wouldn't trust them at all...
      • Um, actually Xandros recently released Service Pack 2 for Xandros Desktop 3, as well as the kernel update to 2.6.11, so they are updating.
  • looks like the new leadership does some good moves

    let's see how it develops...

  • Thanks... (Score:3, Insightful)

    by rpsoucy (93944) <rps@soucy.org> on Friday July 08, 2005 @10:04AM (#13013084) Homepage
    Debian was my first GNU/Linux distribution. 1.3 was the stable at the time, but I ran the 2.0 unstable canidate. For a while I've used others... but I always come back to Debian. The Debian Security Team is a big part of the reason. The comunity nature of Debian, and the history of Debian represent a real important part of the Free Software comunity.

    Security is often a thankless job. People only care once something goes wrong. They don't see all the work it takes to coordinate timely security responce. It should also be noted that Debian takes a proactive approach to security with the Debian Security Audit Team.

    Debian lost a lot of its reputation with the delays for the current stable release. I think the future of Debian, if its to keep its reputation, will be to move to a standard release cycle of once every 2 years. Sure the Debian releases are few and far between compared to other distributions, but Debian is about software Freedom, not bleading edge technology. It provides a solid and secure OS, and most system administrators don't want to roll out a new version of an OS every 2 years, in fact, most would rather keep running an OS as long as there are security updates.

    There are certainly a lot of challanges for Debian right now, hopefully the "Security Issue" goes away with this change.

    • Debian lost a lot of its reputation with the delays for the current stable release.

      How's that possible? Debian's reputation revolves around the slow release cycle. Ask anyone about Debian and they'll likely include 'slow release on stable' as part of their comments, whether they like Debian or not.
      • There is long, and then there is long. People were expecting it to come out sooner, and it was met with delay after delay. Long release cycles are fine if you tell people about them, but when people expect that you'll be releaing a new version next year and it turns into 3 years later... well... Needless to say, for a while a lot of Debian users moved to more current alternatives.

        People want predictability.
        • I absolutely agree.
        • Re:Thanks... (Score:3, Insightful)

          by yack0 (2832)
          People want predictability.

          Sign me up for 'reliability' before 'predictability'. Not only because it's easier to spell, but for my servers that are out there, I'm not planning on that many changes.

          IMHO, the stability afforded me by 'stable' is worth the occasional inconvenience of being a little behind in versions. (Or a lot behind).

          Many many many people disagree with this. That is why there are other distros.

          People were expecting it to come out sooner,

          Why?

          Who, in the Debian release process, said
    • Re:Thanks... (Score:2, Insightful)

      by stephenpeters (576955)
      Debian lost a lot of its reputation with the delays for the current stable release

      I disagree. I run servers for commercial clients. A large number of these prefer to run some type of free software as a server platform these days. Debian is an attractive platform because of the care that goes into it. The slow release cycle means that time can be spent on thorough, careful software engineering. Distributions with faster release cycles are rarely as reliable as Debian over the longer term. I and my clients

  • http://lists.debian.org/debian-amd64/2005/07/msg00 100.html [debian.org]

    Still waiting for the AMD64 security packages to show up a security.debian.org and not have to use the "sarge-proposed-updates" that Brandon warns against.
  • Aren't they the organization that was obsoleted by Ubuntu?

    <ducks>

This screen intentionally left blank.

Working...