Debian Addresses Security Problems

An anonymous reader writes "After suffering manpower shortages and other issues, Debian says it has finally addressed concerns that it was falling behind on security. Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures. It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said. Debian initial security problems can be found in this earlier Slashdot posting."

Re:1000 developers?

[RAMMS+EIN]

Being able to write some software and produce packages is very different from doing security. Security is something that many, even in the developer community, don't understand, or don't understand completely. Having someone who isn't completely security savvy declare your program secure does not help you very much.

Plus, Debian likely requires a lot of security people compared to other distro's, because 1) they provide very many packages (I can't say for sure more than any other, but it's likely), and 2) they don't only fix things by upgrading packages in unstable to the latest version, but also backport fixes to the version in stable.

And in the meantime, the rest of the organization needs not to be forgotten. New packages are submitted all the time, people do like to see a new release within their lifetimes, questions have to be answered, (non-security) bugs need to be fixed, etc. etc. etc. Debian is just a huge project, and I'm impressed with how well it works.

Re:Can somebody tell me . . .

[Kookus]

Free software is free for you to use, not free to develope.
Software engineers need to put food on the table, so they have to get a real job when there isn't any corporate sponsorship. So now after you take out the time from their busy schedules to survive, there's not a whole lot left for a life and helping develope your free software.
Now instead of a stream-lined process where coders can churn out results, you're left with only a little bit of support from those people, sometimes they get burnt out and take a break, other times they lose all their free time and stop supporting the software. That's when you see things bog down and the need to get more people on board and all the other problems that cascade from the lack of free time.

Re:The problem with Debian

[xmgl]

Good point. I'd agree but don't forget the fact that it is also through those rigorous processes that Debian maintains its reputation for quality.

Re:I wouldn't know

[pebs]

I use slackware, myself, although I was thinking of giving Debian Sarge a try

Depends on what you're trying to achieve. If you are running a server, especially one that is exposed to the internet or a large number of users (e.g. web server), Debian stable is really great. Especially with the ability to setup automatic updates; you can set it up, and not have to really touch it for another 2-3 years.

If on the other hand you are using it for a desktop, development, or "tinkering" machine, Debian unstable or some other distro would probably be a better choice.

Re:The problem with Debian

[RAMMS+EIN]

Agreed. this is a problem with any large organization, and Debian is definitely one of them. These procedures exist to ensure quality, and they appear to work, but they also slow down progress. It's a double edged sword.

What I really want...

[rbochan]

... to know is:

Why the hell are slashdotters [slashdot.org] trusting news about Debian from friggen zdnet? And a blog on zdnet to boot!

I mean... c'mon... it's zdnet... with about as much credibility as The Star.

Thanks...

[rpsoucy]

Debian was my first GNU/Linux distribution. 1.3 was the stable at the time, but I ran the 2.0 unstable canidate. For a while I've used others... but I always come back to Debian. The Debian Security Team is a big part of the reason. The comunity nature of Debian, and the history of Debian represent a real important part of the Free Software comunity.

Security is often a thankless job. People only care once something goes wrong. They don't see all the work it takes to coordinate timely security responce. It should also be noted that Debian takes a proactive approach to security with the Debian Security Audit Team.

Debian lost a lot of its reputation with the delays for the current stable release. I think the future of Debian, if its to keep its reputation, will be to move to a standard release cycle of once every 2 years. Sure the Debian releases are few and far between compared to other distributions, but Debian is about software Freedom, not bleading edge technology. It provides a solid and secure OS, and most system administrators don't want to roll out a new version of an OS every 2 years, in fact, most would rather keep running an OS as long as there are security updates.

There are certainly a lot of challanges for Debian right now, hopefully the "Security Issue" goes away with this change.

Re:Thanks...

[stephenpeters]

Debian lost a lot of its reputation with the delays for the current stable release

I disagree. I run servers for commercial clients. A large number of these prefer to run some type of free software as a server platform these days. Debian is an attractive platform because of the care that goes into it. The slow release cycle means that time can be spent on thorough, careful software engineering. Distributions with faster release cycles are rarely as reliable as Debian over the longer term. I and my clients are used to spending time setting up a machine, and then leaving it in production for 4-5 years with minimal maintenance. Using Debian I have found that power and hardware failures are the main cause of unplanned system downtime.

Debian is about software Freedom, not bleading edge technology.

If you do want to use some of the newer packages from testing or unstable try using apt pinning on a stable system. Simply put apt pinning allows you to mix and match selected packages from stable testing and unstable together. A simple howto can be found here [sbih.org]

There are certainly a lot of challanges for Debian right now

There will always be challenges for Debian. The Debian leaders seem to do just that, lead. Perhaps that is why they remain such a well regarded distribution. Do not give up on Debian because of a few negative news stories. Debian has worked well for me for years. If you stick with it it should do the same for you.

Steve

Re:Thanks...

[yack0]

People want predictability.

Sign me up for 'reliability' before 'predictability'. Not only because it's easier to spell, but for my servers that are out there, I'm not planning on that many changes.

IMHO, the stability afforded me by 'stable' is worth the occasional inconvenience of being a little behind in versions. (Or a lot behind).

Many many many people disagree with this. That is why there are other distros.

People were expecting it to come out sooner,

Why?

Who, in the Debian release process, said it would be out at a certain time? The continued party line to the question of 'when is the update going to be released' has been 'when it is ready', not 'in about X months... '. Only when it came to 'imminent release' did anyone start supplying dates.

That said, Branden was elected, I think, in no small part due to his stated commitment to more frequent releases. It is his prerogative to push for that. I certainly would welcome more frequent releases, but not at the expense of stability.

There are plenty of distros to choose from. I stick with Debian because the stability it offers. Since I have had uptimes on machines that exceed the span of release dates, I really don't mind so much. But I admit that I appear to be in the minority on that sentiment.

$.02