Debian Struggling With Security

Masq666 wrote to mention a ZDNet article discussing difficulties Debian is having with security updates. From the article: "...Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems."

Current issues

[cortana]

http://newraff.debian.org/~joeyh/stable-security.h tml [debian.org] is an incomplete list of issues currently affecting stable. It's not 100% correct; in addition to the provisos at the top of the page, it doesn't seem to know about recent updates such as this morning's Gaim update [debian.org].

Re:Debian alternatives?

[Anonymous Coward]

I tried Fedora with yum and it was surprisingly good. However, Ubuntu and apt-get has been great and that's what I've been using lately.

Re:Too many packages?

[arivanov]

That is not the problem. Problem is elsewhere.

Redhat supports x86, x86_64, i64 and some power and zSeries stuff. Compared to that Debian supports Alpha, ARM, HP PA-RISC, Intel x86, Intel IA-64, Motorola 680x0, MIPS, MIPS (DEC), PowerPC, IBM S/390, SPARC. It also has the outrageously silly policy of trying to release updates for all of them at the same time.

Frankly, all the "problematic" architectures for which there are build problems are "security through obscurity" by themselves. If an update for them is delayed by up to 2 weeks it is usually a "Who cares, only two living people know how to write an exploit for this platform anyway".

Re:Debian alternatives?

[Just Some Guy]

I'm also in the moved-to-Gentoo camp, although I also use FreeBSD in a lot of places (including several desktops). I guess I like the extra configurability of source-based systems over binary Linux distros.

For example, Debian currently lets me choose between "openssh-client" version 4.1p1-4, or "ssh-krb5" version 3.8.1p1-8; I have to pick between a recent version or Kerberos support.

I still like Debian and its derivatives, but I decided that it imposed constraints that I was not personally willing to work under.

Don't even get me started on the unavailability of X.org and KDE 3.4. Although there's nothing about source-based system that makes them inherently more up-to-date, it seems like the big names (FreeBSD and Gentoo) seem to do a better job of it than the binary distros have been able to manage. Perhaps there's something to be said for supporting a relatively small number of hardware platforms. Gentoo even supports platform-specific versioning, so x86 users can play with the latest and greatest apps, even if they don't build on m68k.

To each his own, of course. Those are the reasons I made my decision, but I'm sure they're far from universal.

*BSD.

[MrDomino]

All of the BSDs currently have excellent package-management systems that can elegantly handle both binary and source packages. pkgsrc in particular is a really nice system---further, it has the advantage of not being tied to one OS. Although it is developed primarily for NetBSD [netbsd.org], it can be used from any of the other BSDs, Linux, several Unices, and even Windows (with Internix, i.e. Windows Services for Unix [microsoft.com]).

In fact, it's definitely worth checking NetBSD out; the 2.x line has been really interesting, and development is continuing to move forward at a rapid pace. If you're on a single-processor system, it's arguably one of the best-performing OSes available at the moment, and it in general will work. Add that to the fact that you could probably port it to your toaster if you were dedicated enough, and it's worth giving serious consideration to as an alternative to Debian, or indeed anything else.

Re:Is unstable possibly better?

[kaarlov]

I don't know about recent issues, but for last year or even two years of Woody being stable version, there were many security problems in Woody which were resolved very slowly or not at all, while the unstable was usually fixed in reasonable time.

Of course, unstable is what it says. You get new features, different behavior and even broken software all the time. Not very good thing in production enviroment. And right now there's some major changes going on in the unstable (C++ ABI and Xorg transition) and I would be extremely cautios using it. But if the release of Etch takes as long as Sarge, the unstable will be the way to go again in 2007 at the latest.

Re:Close: Switch to OS X

[cwalker]

I thought that this sub-thread was so stupid that it was not worthy of a response but this list of incredible flaws in Linux that are supposedly fixed in OS X or Windows is so ridiculous, I just had to respond.
1. More secure? Not true. All Operating Systems have problems, closed sources Operating Systems have more problems than others becuase there are fewer people viewing and fixing the bugs and other problems. An Operating System's security depends greatly on the configuration and administration not that is is created or modified by a certain company.
2. Not true either. Speed depends on configuration and administration. Mac's are tuned for certain things where Linux can be tuned in any cofiguration you so desire.
3. More advanced or aged only because it is running a version of FreeBSD which is so close to linux how can you call it anything but *NIX?
4. Built for idiots that rather the computer maintain control. I, on the otherhand, like to control my computer.
5. Linux is backed by many successful companies such as IBM, Novell, Redhat, etc., etc as well as a world of seasoned programmers.
6. See above. Open source programming does not mean amateurs. Most of the open source programmers are seasoned vets that work full time for large companies.
7. Most of OS X is open source because it is Free BSD. Note the "Free" part of that. (see http://www.freebsd.org/copyright/copyright.html [freebsd.org])
7. (you probably meant 8 right?) See above statements. OS X is mostly FreeBSD which means they do not own the code. The GUI, they own, but so what. The kernel is still UNIX!

If the list goes on I would like to see it because this preliminary list is bogus.

Re:Too many packages?

[cperciva]

Is FreeBSD having the same problems, or are they handling the situation, or are they just ignoring it?

The FreeBSD base system is supported quite well, although we have had occasional manpower problems (e.g., when one member of the security team is travelling around Japan on work, one member is writing his doctoral thesis, another member is job-hunting, et cetera).

The FreeBSD ports tree is supported on a "best effort" basis -- we make no guarantees, but we do our best.

Re:Is unstable possibly better?

[poopdeville]

Yes, there are times when Unstable gets fixed faster than Stable. The way the whole Stable/Testing/Unstable thing works is that a package maintainer submits a package to Debian. It is placed in unstable. If it survives two weeks there, it is moved to testing. Eventually, there is a freeze and all of testing becomes stable. Now, if a bug is found in a testing package, a new package is submitted to Debian to replace it. So it ends up in Unstable for two weeks. Packages can be fast tracked from Unstable to Testing if the issue is severe.

Regarding whether Unstable got a fix at the same time as Gentoo, that depends on whether or not the package maintainer is following the source as closely as Gentoo. In theory, there should be no difference.

Re:Too many packages?

[arivanov]

Nope.

It is outrageously silly.

Ever tried to write shellcode for Alpha? It was even thought to be impossible for more then 5 years until someone published a way to do some limited borderline cases in 2000.

Ever tried to write shellcode for 680xx? Same as above, even harder due to the protection model vagaries.

Basically these arches use a different protection model and instruction encoding from x86. Both of these make writing shellcode nearly impossible.

So on, so fourth.

Re:Solution is obvious, move to Windows

[Anonymous Coward]

Actually, in the center of this team, authorized to make decisions, are only 7 people. Only 1 of these 7, Martin "Joe" Schulze, is actually active. The other 6 seemingly retired from their job, failing to take care for somebody to replace them in the security team.

Take this and add some server problems since the Debian update and you see where's the problem.

Zdnet: do some fact checking next time

[joey]

I think it's indicative of the quality of this zdnet article that it attributes a page I maintain to Martin Schulze. More details in my blog entry, here:

http://kitenet.net/~joey/blog/entry/secfud-2005-07 -06-11-28.html [kitenet.net]