Debian Struggling With Security

Masq666 wrote to mention a ZDNet article discussing difficulties Debian is having with security updates. From the article: "...Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems."

Solution is obvious, move to Windows

They have a huge team focusing on security.

Re:Solution is obvious, move to Windows

They have a huge team focusing on security.

Too bad none of them work at Microsoft :(

Pick any two

Secure, Convenient, Cheap.

Pick any two.

(General rule, but it does generally follow)

Re:Pick any two

Or pick Windows and get none!

Re:Pick any two

Yep but it doesn't apply here. Debian can be secure, convenient and cheap. It could probably be more secure and less convenient but still it is generally a very secure distro... and it's certainly cheap and convenient too
The problem is not that you can't mix those three in debian particular setting, it's that the debian team seems to serverely lack redundancy. Read: one person has obligations somewhere else and the whole stable security updates process hangs !
I really hope that Debian is going to make something about it fast, and in a definitive way. I don't want to run something else than debian, really. But this is really embarassing, especially if you have production servers running sarge. And this situation ain't new, Slashdot was very slow to catch it but i read about it last week. Things haven't moved a lot since (well 1 security update was released, but some major exploits have been found in iirc at least two other packages, and nothing coming yet... Other distros had everything fixed by the end of last month)

I think Debian should clarify the issue, and call for help if it's necessary. And maybe simplify the whole debian democratic process if as it seems from the outside every decision has to go through days and days of pointless discussion.

simple solution

$ apt-get update security-officer

Problem Solved.

(Its funny. Laugh.)

there was no effective tracking of security probl

there was no effective tracking of security problems

Now that this has been published on /. it will have to be revised to "no effective tracking of security problems by the good guys".

How the mighty have fallen...

Disturbing to see how the distro that was always renowned for its reliability is now having such troubles.

I wish the debian team all the luck in the world in fixing this matter. They're in a difficult position now that they're both lagging behind (though much less so than a while back) and cannot claim unparalleled reliability.

Re:How the mighty have fallen...

It would be a hell of a lot easier if they only supported X86 architecture like all those other Distros you refer to as the ones to lag behind.

I think what they really suffer from, and I am not expert, is politics of a large system and the perception of lots of power sitting on top. I could be wrong.

Regardless of what anyone might want to say against Debian, I still believe that they are extremely good at what they do and don't get credit for it. There is no other distro out there that attempts to support as many architectures as effectively (or at all) and if Debian decided to just delete them all except X86/X86-64 then their job would be a hell of a lot easier to execute.

Re:How the mighty have fallen...

Supporting arches that span the gamet of bitness and endianness shakes out bugs and bad assumptions that can be hard to find otherwise. These fixes get pushed upstream whenever possible. So Debian is raising the water for a heck of a lot of boats. Until the great license blowup, Debian's X-Strike Force was also a major reason why XFree86 ran on so many platforms. The bit and endian issues THERE are a bitch.

It might be better in some respects if Debian were x86 only like everybody else but we would all be poorer for it.

Now If This Was Microsoft...

The tone of the story would be laden with arrogance and derision towards the "Borg", painfully unfunny and unoriginal jokes would follow, and everyone would point to Apple and Linux as the greatest and secure OSes on the planet.

But since it's not Microsoft, it's a fairly sober writeup, and Microsoft jokes would just follow a little bit later.

Funny how things work here at slashdot. no i'm not new here. I'd just figure some people would grow up sooner or later.

Re:Now If This Was Microsoft...

I'd just figure some people would grow up sooner or later.

Oh we do indeed grow up. Unfortunately Slashdot has an unending supply of new posters straight out of kindergarten who have no problems at all firmly believing in the rightness of double standards and the logic of conflicting axioms.

Re:Now If This Was Microsoft...

You've got to admit there is a fundamental difference that would also cause that change of attitudes.

Debian security guys tend to have an attitude of trying to do things right. You're talking about the same people that chose to stop everything when they were compromised last year (and that was two days before a woody revision release). It's no surprise that people think of them as a good team without the necesary resources that need help. After all, they appear to do what they can with whatever resources they've got.

Microsoft, however, is known for turning a blind eye to big problems, trusting no one will find out and trying to NDA the hell out of everyone. Considering people pay big $$$ to them, and they do play dumb more often than they should, guess what the attitude toward them would be.

MS has been doing things a little better lately, but years of treating security like they did in the '90s aren't forgotten that easily.

I like Debian, and really hope they can solve their staff shortage. I wouldn't like them to go under because of this.

Boring jobs

It isn't any suprise that the boring and the mundane tasks fall short in manpower.

This is why there needs to be more commercial involvement in FOSS, so that people who just want a day job and a paycheck can do these sorts of things.

Re:Boring jobs

I understand what you're trying to say with your sig, but when you're as smug as you seem to be, you lose the priviledge of calling somebody else on their biases.

That out of the way, capitalism is about capitalizing labour; that is, putting people together that create more value than if they worked seperately. That is the fundamental reason why we CAN sell things; we're able to capitalize labour and create things for less cost than would be born upon people if everybody created said thing individually.

Statements like your are grossly off the mark. BSD licenses, any other open source licenses that allow you to use the source but not have to open up your own, have helped many a person make money. What folks like you fail to realize is that you use the term open source as if its a catch all for anybody creating software for free. In fact, irony of ironies, the patent system was designed to FORCE your methods and secrets in the open in return for protection from the government. So who's being anticapitalist now? The very tennants of innovation in capitalism are strongly tied to having people share information. The anti-capitalist yahoo's of whom you speak simply have a much broader, more historically acturate understanding of the balance between technological progress and motivation to innovate. I'm not against selling stuff, I'm not against capitalism, I'm simply suggesting that once the fear dies down in a decade or so, and code itself becomes more commoditized, it will be in the interest of those who wanna make a shit load of money to patent software based on the source, not a description of what the thing does.

Look at early patents; its not what you can do, its HOW you do it. Its the means, not the end. Nobody could patent the generation of electricity; only METHODs for generating electriciy. I predict that at the rate of current software patent filing, litigation will become too expensive for the market versus the costs of opening up source in order to protect your invention. I guess thats ironic, given people's fear of open source licenses.

Too many packages?

It's just a random thought, but have the Debian people ever contemplated whether their problems in this regard may stem from the fact that they have too many packages? The package list [debian.org] for the latest stable lists an incredible 16834 individual packages, and even though there are many programs which come in different flavours and thus contribute as more than one package, this still is a huge number.

I can certainly see why security management gets a problem here. Maybe the Debian project should cut down on these and see just how many packages are really needed.

Re:Too many packages?

Consider a situation where a server has been set up and is running well in a company. That server has been working for several years, and while it may not have whiz-bang features, it keeps working every day just as well as it did the day before -- nothing ever breaks.

Now, if a security issue is discovered in a package running on that machine, they do not want to upgrade to the latest release because they would worry about what it changes -- they want that one issue fixed and everything else to continue the same as before. Debian Stable is designed for people like this, the joke at the end of your post was actually close to the truth -- people really do want debian stable to be stable feature wise.

Consider another situation, where somebody wants a fairly reliable and a fairly up-to-date server. When a bug is discovered, and especially security-related bugs, they'd like an updated package. On the other hand, they don't want to be sent the latest buggy software, they'd like it restricted to software that appears pretty stable. Debian Testing is designed for people like this.

It sounds from your post that you cannot imagine people preferring a quirky, somewhat old, consistant distro over one kept up to date with bug fixes. I assure you that there is a large market for the stable distro, but if you are not in that market, there are plenty of others available.

Re:Too many packages?

Well, it works for the OpenBSD people... OpenBSD is the most secure system out of the box because the box is really small, and it's hard to get it open :)

My karma is now really, really shot.

Re:Too many packages?

Is FreeBSD having the same problems, or are they handling the situation, or are they just ignoring it?

The FreeBSD base system is supported quite well, although we have had occasional manpower problems (e.g., when one member of the security team is travelling around Japan on work, one member is writing his doctoral thesis, another member is job-hunting, et cetera).

The FreeBSD ports tree is supported on a "best effort" basis -- we make no guarantees, but we do our best.

hobbyist OS?

Not to start a flamewar (well maybe a little) - OSS will need to meet the challenge of managing all of the little details of a widely acceted OS. Red Hat is grapling with that problem now with some suceess. Having what you believe to be a better widget is not enough.

Bits of News

I originally posted this on http://bitsofnews.com/ [bitsofnews.com] but decided to post it on Slashdot also. It's a bit sad though that Debian is struggling with it's security updates, Debian used to be a nice distro but i've changed to Suse myself due to the lack og updates.

Let it go Louie

Yes, Debian was *the* technically superior linux distribution for a long time. Those days are pretty much over folks. In fact, I'm surprised that the "BSD is dead" crowd doesn't have a similar mantra for Debian.

There are plenty of well-managed, technically sweet linux distributions out there. Some of them even use apt as their package manager. Let's just agree to learn from what Debian was, and move on to something better. I'll leave the holy war of what "something better" is to the rest of the zealots.

Re:Let it go Louie

Bullshit. All the technically sweet linux distributions out there which use apt are more or less resting on debian's shoulders. If you watch the security changelogs - or the regular changelogs - of ubuntu packages, you'll see that nine out of ten get made by debian, adapted to ubuntu and thrown to the ubuntu servers. Some are just renamed to "-ubuntu" and passed on. And a very few are actually maintained by ubuntu themselves.

We can't move on. Much of the linux community depends on a well-functioning debian organization. They are lacking man-power to keep their security updates as fast as the multi-employee-distributions. That doesn't mean they're technically behind, and that we have something better to move to. Although the commercial distros would love that.

parent Flamebait

Parent post is a flamebait and I wonder what moderators are smoking today.
Debian is much more than a distribution. And there is unfortunately nothing better than Debian (as in the distro) to move on to. There is a reason why many distributions are build on Debian.
Please point me to a distro that can manage version upgrades even half as gracefully as Debian.
There was a discussion about Ubuntu on Slashdot and it was argued that if Ubuntu continues to be diverge further from sid and stay incompatible it will eventually dissolve, because the team will never be able to support the huge package base.

I am a desktop Linux user that started out with Debian 2.1 Slink and I also have the feeling that Debian has had some major issues lately.

About the security issue:
Heise security published it first 10 days ago:
http://www.heise.de/newsticker/meldung/61076 [heise.de]

As a result of this a discussion on the Debian security mailing list ensued:
http://lists.debian.org/debian-security/2005/06/ms g00142.html [debian.org]

Heise Online then reported on that as a result of that discussion:
http://www.heise.de/newsticker/meldung/61125 [heise.de]

For those that can't read German the article says that of the five members that should make up the security team four are not active at the moment if they ever were. The only remain one is Martin Schulze aka Joey. He has been pretty busy with the organisation of the Linuxtag. So he was cut off from the action. Debian people are working on the problem.

Everyone that is not satiesfied with the current state of affairs should get their hand dirty helping instead of complaining. After all Debian forms the bases of "plenty of well-managed, technically sweet linux distributions out there".

Like Knoppis, Ubuntu or Xandros. Full list here:
http://www.debian.org/misc/children-distros [debian.org]

Debian alternatives?

So, if you've used Debian before and then migrated to something else, do tell. Is there anything that compares to apt-get? (no, urpmi is NOT it).

Current issues

http://newraff.debian.org/~joeyh/stable-security.h tml [debian.org] is an incomplete list of issues currently affecting stable. It's not 100% correct; in addition to the provisos at the top of the page, it doesn't seem to know about recent updates such as this morning's Gaim update [debian.org].

Is unstable possibly better?

I wonder, if unstable get's the "latest and greatest", so to speak, are there times that it gets security fixes before "stable"? The article mentions that Gentoo got a fix before Debian, presumably when it was fixed upstream. Did Debian unstable get the fix at the same time?

Ubuntu

This is at least partially because the attention that Ubuntu is getting. And rightfully so. IMHO in most situations today, especially desktop situations, an Ubuntu install is vastly preferred to a Debian install. It is the same Debian quality you are used to while simultaneously being even easier than Fedora.

I'm not saying kill Debian, everyone bail to Ubuntu. I'm saying that there is competition for manpower in the open source world. And in a capitalistic/darwinistic manner it's going to be the fittest that survive. And if another project takes your manpower away because it is better in some aspects, then that is what will happen.

I've used Debian and I've used Ubuntu. And I can say that I no longer find much reason to use Debian anymore at all. This story doesn't surprise me in the least.

Security support is ill-suited to open source

Woah! Wait a moment before you start flaming me on the basis of my subject line...

The problem of providing security support is ill-suited to being solved by the traditional "mob of volunteers" approach which describes most open source development. When you're doing development, it doesn't matter if you have five people coding one week and nobody doing any coding the next week; but when it comes to dealing with a constant stream of security issues which are being reported (in particular, from upstream vendors), it is important to guarantee that there will be someone around to deal with them. When the entire security team consists of people who have other full-time jobs, it's impossible to make sure that someone will be around when they are needed.

The job of "security officer" is really one which should be a job, not a role-played-by-a-volunteer. Go out and raise some money to pay for your security officer, so that he is able to always be available when he is needed, because if he needs to get some other job to support himself, he won't be around when you need him.

Here's why your wrong

"When the entire security team consists of people who have other full-time jobs, it's impossible to make sure that someone will be around when they are needed."

Your wrongly basing your entire arguement on the idea that OSS programmer(s)=loner(s) with other "real" jobs. That is simply not the case for many OSS projects. Commercial OSS companies like Red Hat, Suse/Novell, et al are and have been the driving force in OSS for some time now. Look at any big distro, any major software project etc and at this point chances are they are being bankrolled and supported by commercial copanies that are paying people to work on them and deal with things like security issues. And if a popular project has a security flaw that an author won't address, and distros won't fix because its not part of their distro...well you know the deal, use the source luke.

I see what your trying to say but again your arguement is flawed as "traditional" OSS development no longer means unpaid and non-commercial. I don't think that the people buying Red Hat linux and getting security support for years and years would share the same viewpoint. And I also don't think that commercial companies put more into security than OSS programmers do. History just doesn't show that.

For version .002 for widget X that isn't widely used and gets abandoned for lack of interest and now has a security issue, how is that different than in the commercial world? At least with OSS someone/anyone can fix the problem. With commercial software you literally have to stop using the software because no fix will ever come.

OSS is particulary well suited to dealing with security issues IMHO and the problems it has with security are more or less the same problems that commercial software makers face. Your floating down a well known river in Egypt if you think that in the commercial world all projects have people who are paid to soley to work on security.

Security woes?

I've always thought (because people have informed me) that Debian is the most secure distro... what went wrong?

Debian (and it's decline)

To keep such a large and sprawling project active requires huge volunteer resources, which obviously simply isn't available, no matter how much rhetoric we write here.

Maybe Debian distribution is simply being susperceded by others who do better on some of theses things, in which case, it will (must) either adapt or for face further decline.

That is a natural process of evolution. Look at some of it's wonderful spin offs, such as Umbunto (now how easy is that to get going, get it's based around Debian).

-Richard

I'm having with phrase composition.

Sorry to make yet another jab at the editors, but it needed to be done.

A lot of assumptions for a page and a half article

The article didn't go quite as in depth as I would have liked. Specifically, the Debian apt repositories have literally, and you may quote me, zillions* of packages. I'm fairly certain they have quite a few more than, say, Red Hat has binary packages in their repositories.

Therefore, it would follow that if 4% of Debian packages had security vulnerabilities that would equate to a substantially greater number of packages than would the same 4% of Red Hat packages.

The other important thing to keep in mind is that it's unlikely many users would install all zillion packages at one time.

Finally, the article implies Debian and Red Hat are in competition. However, as literate geeks will know, Debian is the OS of "Software in the Public Interest" http://www.spi-inc.org/about [spi-inc.org] which is a non-profit entity. Therefore, while one could argue that Red Hat (a for-profit enterprise) and Debian are in competition for userbase, by no means are they in direct competition for 'business'.



*Debian website says "over 15490." Which begs the question, how many more than 15490? 15491?

I kind of saw this coming...

I know I'll get flamed all over Christmas by Debian die-hards about it, but oh well.

I tried Debian for the first time as soon as Sarge 3.1 went to stable. I've tried about ten Linux distros (ranging from popular installs like Red Hat and Slackware, to live distros like Knoppix, and even floppy-based like Tom's root-boot and Hal91), and sorry to have to say it, but every other Linux I've ever worked with combined didn't give me as much trouble as Debian. The whole thing left me with an impression of fantastic disorganisation. It was just a shambles! And I might not be so quick to lay blame, but other distros manage with a handful of maintainers releasing every six months, and they get their act together better than Debian, which brags about their "hundreds of developers worldwide" and had a leisurely THREE YEARS to release the new version. I bet they're plagued with all *sorts* of problems, but at least some good Debian-based distros come from the huge package archive.

No kidding, I've fooled around with building my own system from scratch a little, (nowhere near getting a whole major title together!) but enough to gain a basic understanding for how it's done. All it really takes to make your own Linux distro is fdisk and create some partitions, set up a few folders, get a few basic components installed from source compiled on a host system, and then just download tarballs and compile from source. Any Linux distro, logically, should be even LESS trouble to get going than it would be to do-it-yourself. I vowwed on my first Debian-day to conquor the difficulties and perhaps even contribute some small fixes when I get going. By the third Debian day, I looked at the whole mess and just shook my head and zeroed the drive. My effort is much better spent writing programs to enhance *other* distros, which aren't so bad off to start with. Of course, it would also be an easier job for me!

No, I don't hate Debian. I wanted like *damn* to experience the super-cool, ultimate-Linux, uber-geek joygasm that Debian fans have been selling me. I do, however, feel sorry for Debian, and hope it perhaps gets redone right from scratch? I can conceive of no other solution for it.

Zdnet: do some fact checking next time

I think it's indicative of the quality of this zdnet article that it attributes a page I maintain to Martin Schulze. More details in my blog entry, here:

http://kitenet.net/~joey/blog/entry/secfud-2005-07 -06-11-28.html [kitenet.net]

Re:I ditched debian over the weekend

Switch to Solaris 10. Even in the very unlikley event you hose your system, just reboot from your last "live upgrade" partition and your back into production.

Re:The most secure option

but if that is not possible, why not fly to the middle of the sahara with a laptop, solar panel and gear, and just do your buisness there. No worry about hackers, or physical attacks.

How is this even relevant to an article about the difficulties the Debian people are having with their security approach? Not only is what you suggest off-topic, but it is ridiculous. Most companies are interested in still having useful computers while keeping a sane security model.

Personally, I have noticed that as distributions get larger, they also get harder to maintain and more difficult to change, as more people are required for the basic maintenance of the software. On the other hand, more compact Linux/BSD distributions are often known for their security and stability (OpenBSD, Slackware, NetBSD). I hope that the Debian people can get the distro back on track and manageable again.

Re:The most secure option

Actually, being American on Sahara (and whole muslim-dominated north Africa) makes you pretty prone to physical attacks :).

your not only a coward, but an..

asshat as well.

if linux users got what they paid for, they'd get nothing, you.. you..you bill hates follower.

I'd rather pay nothing, take that money and either put it towards a hardware router for security (just plug it in).. or save that money for something else fun..and set up a linux software firewall/router (easy, just point&click).

If people didn't have windoz forced on them when they buy in major oulets, they would get used to linux quicker.

at least with linux, when you put the effort into fixing it the way you want (note: linux at least has that option!), then we have a functional & hardened box.

I hope I didn't use tooo many big words there, mr coward :)

Re:It seems as if

i am not suprised. not supirised at all

Re:welp..

It's not like walking up to some stranger on the street and asking for uninterrupted charity work. It's more like mounting a sign in every computer store asking "Got any code kicking around you're not selling? Chuck it our way, would you? No utility too obscure."

It is what it is, and while its character is not that of commercially developed software, progress does continue to be made.

Why is the parent a troll?

I ditched Debian for the same reason.
Pick one:

Stable---Totally out of date, useless for a desktop IMHO.

Testing---STILL pretty out of date, but varies. Probably OK for a desktop, but a good number of packages (to be current for builds) requires...

Unstable. Usually current, MANY broken packages, but NOWHERE near as "stable" as say ....

Mandrake//Mandriva Cooker, which sort of amazed me when it didn't crater... (It never borked on an upgrade while I used it ~6 months)