Debian Struggling With Security 264
Masq666 wrote to mention a ZDNet article discussing difficulties Debian is having with security updates. From the article: "...Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems."
Current issues (Score:3, Informative)
Re:Debian alternatives? (Score:1, Informative)
Re:Too many packages? (Score:3, Informative)
Redhat supports x86, x86_64, i64 and some power and zSeries stuff. Compared to that Debian supports Alpha, ARM, HP PA-RISC, Intel x86, Intel IA-64, Motorola 680x0, MIPS, MIPS (DEC), PowerPC, IBM S/390, SPARC. It also has the outrageously silly policy of trying to release updates for all of them at the same time.
Frankly, all the "problematic" architectures for which there are build problems are "security through obscurity" by themselves. If an update for them is delayed by up to 2 weeks it is usually a "Who cares, only two living people know how to write an exploit for this platform anyway".
Re:Debian alternatives? (Score:3, Informative)
For example, Debian currently lets me choose between "openssh-client" version 4.1p1-4, or "ssh-krb5" version 3.8.1p1-8; I have to pick between a recent version or Kerberos support.
I still like Debian and its derivatives, but I decided that it imposed constraints that I was not personally willing to work under.
Don't even get me started on the unavailability of X.org and KDE 3.4. Although there's nothing about source-based system that makes them inherently more up-to-date, it seems like the big names (FreeBSD and Gentoo) seem to do a better job of it than the binary distros have been able to manage. Perhaps there's something to be said for supporting a relatively small number of hardware platforms. Gentoo even supports platform-specific versioning, so x86 users can play with the latest and greatest apps, even if they don't build on m68k.
To each his own, of course. Those are the reasons I made my decision, but I'm sure they're far from universal.
*BSD. (Score:3, Informative)
All of the BSDs currently have excellent package-management systems that can elegantly handle both binary and source packages. pkgsrc in particular is a really nice system---further, it has the advantage of not being tied to one OS. Although it is developed primarily for NetBSD [netbsd.org], it can be used from any of the other BSDs, Linux, several Unices, and even Windows (with Internix, i.e. Windows Services for Unix [microsoft.com]).
In fact, it's definitely worth checking NetBSD out; the 2.x line has been really interesting, and development is continuing to move forward at a rapid pace. If you're on a single-processor system, it's arguably one of the best-performing OSes available at the moment, and it in general will work. Add that to the fact that you could probably port it to your toaster if you were dedicated enough, and it's worth giving serious consideration to as an alternative to Debian, or indeed anything else.
Re:Is unstable possibly better? (Score:2, Informative)
Of course, unstable is what it says. You get new features, different behavior and even broken software all the time. Not very good thing in production enviroment. And right now there's some major changes going on in the unstable (C++ ABI and Xorg transition) and I would be extremely cautios using it. But if the release of Etch takes as long as Sarge, the unstable will be the way to go again in 2007 at the latest.
Re:Close: Switch to OS X (Score:3, Informative)
1. More secure? Not true. All Operating Systems have problems, closed sources Operating Systems have more problems than others becuase there are fewer people viewing and fixing the bugs and other problems. An Operating System's security depends greatly on the configuration and administration not that is is created or modified by a certain company.
2. Not true either. Speed depends on configuration and administration. Mac's are tuned for certain things where Linux can be tuned in any cofiguration you so desire.
3. More advanced or aged only because it is running a version of FreeBSD which is so close to linux how can you call it anything but *NIX?
4. Built for idiots that rather the computer maintain control. I, on the otherhand, like to control my computer.
5. Linux is backed by many successful companies such as IBM, Novell, Redhat, etc., etc as well as a world of seasoned programmers.
6. See above. Open source programming does not mean amateurs. Most of the open source programmers are seasoned vets that work full time for large companies.
7. Most of OS X is open source because it is Free BSD. Note the "Free" part of that. (see http://www.freebsd.org/copyright/copyright.html [freebsd.org])
If the list goes on I would like to see it because this preliminary list is bogus.
Re:Too many packages? (Score:5, Informative)
The FreeBSD base system is supported quite well, although we have had occasional manpower problems (e.g., when one member of the security team is travelling around Japan on work, one member is writing his doctoral thesis, another member is job-hunting, et cetera).
The FreeBSD ports tree is supported on a "best effort" basis -- we make no guarantees, but we do our best.
Re:Is unstable possibly better? (Score:2, Informative)
Regarding whether Unstable got a fix at the same time as Gentoo, that depends on whether or not the package maintainer is following the source as closely as Gentoo. In theory, there should be no difference.
Re:Too many packages? (Score:3, Informative)
It is outrageously silly.
Ever tried to write shellcode for Alpha? It was even thought to be impossible for more then 5 years until someone published a way to do some limited borderline cases in 2000.
Ever tried to write shellcode for 680xx? Same as above, even harder due to the protection model vagaries.
Basically these arches use a different protection model and instruction encoding from x86. Both of these make writing shellcode nearly impossible.
So on, so fourth.
Re:Solution is obvious, move to Windows (Score:1, Informative)
Take this and add some server problems since the Debian update and you see where's the problem.
Zdnet: do some fact checking next time (Score:4, Informative)
http://kitenet.net/~joey/blog/entry/secfud-2005-0