Debian Struggling With Security 264
Masq666 wrote to mention a ZDNet article discussing difficulties Debian is having with security updates. From the article: "...Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems."
Pick any two (Score:5, Insightful)
Pick any two.
(General rule, but it does generally follow)
How the mighty have fallen... (Score:4, Insightful)
I wish the debian team all the luck in the world in fixing this matter. They're in a difficult position now that they're both lagging behind (though much less so than a while back) and cannot claim unparalleled reliability.
Now If This Was Microsoft... (Score:3, Insightful)
But since it's not Microsoft, it's a fairly sober writeup, and Microsoft jokes would just follow a little bit later.
Funny how things work here at slashdot. no i'm not new here. I'd just figure some people would grow up sooner or later.
Boring jobs (Score:4, Insightful)
It isn't any suprise that the boring and the mundane tasks fall short in manpower.
This is why there needs to be more commercial involvement in FOSS, so that people who just want a day job and a paycheck can do these sorts of things.
hobbyist OS? (Score:2, Insightful)
Let it go Louie (Score:1, Insightful)
There are plenty of well-managed, technically sweet linux distributions out there. Some of them even use apt as their package manager. Let's just agree to learn from what Debian was, and move on to something better. I'll leave the holy war of what "something better" is to the rest of the zealots.
Re:Too many packages? (Score:3, Insightful)
Re:Too many packages? (Score:1, Insightful)
That's NOT to say the "contrib" packages would be insecure, just that all responsibility for security of the package and its interactions with other packages would be up to the packager and packager user community.
Re:How the mighty have fallen... (Score:3, Insightful)
I think this is probably part of the problem... too many people are wishing them luck and not enough people are actually doing anything to address the problem.
Re:Too many packages? (Score:3, Insightful)
It is certainly the case that many upstream maintainers really dont care about old versions of their software (and if different distros are using different old versions so much the worse). The problem is if it is something that other packages depend on and you end up in a hell of many twisty interfaces all different.
I wouldnt support packages in stable that cannot guarantee to keep their interfaces stable for a reasonable period. They could be available as addons with no guarantees of secutity fixes.
I think the situation is a bit better than it was as interfaces in things like gnome stabilise and people work out how to manage very big very distributed projects like that.
Re:Now If This Was Microsoft... (Score:4, Insightful)
Oh we do indeed grow up. Unfortunately Slashdot has an unending supply of new posters straight out of kindergarten who have no problems at all firmly believing in the rightness of double standards and the logic of conflicting axioms.
Security support is ill-suited to open source (Score:5, Insightful)
The problem of providing security support is ill-suited to being solved by the traditional "mob of volunteers" approach which describes most open source development. When you're doing development, it doesn't matter if you have five people coding one week and nobody doing any coding the next week; but when it comes to dealing with a constant stream of security issues which are being reported (in particular, from upstream vendors), it is important to guarantee that there will be someone around to deal with them. When the entire security team consists of people who have other full-time jobs, it's impossible to make sure that someone will be around when they are needed.
The job of "security officer" is really one which should be a job, not a role-played-by-a-volunteer. Go out and raise some money to pay for your security officer, so that he is able to always be available when he is needed, because if he needs to get some other job to support himself, he won't be around when you need him.
Re:Too many packages? (Score:4, Insightful)
Now, if a security issue is discovered in a package running on that machine, they do not want to upgrade to the latest release because they would worry about what it changes -- they want that one issue fixed and everything else to continue the same as before. Debian Stable is designed for people like this, the joke at the end of your post was actually close to the truth -- people really do want debian stable to be stable feature wise.
Consider another situation, where somebody wants a fairly reliable and a fairly up-to-date server. When a bug is discovered, and especially security-related bugs, they'd like an updated package. On the other hand, they don't want to be sent the latest buggy software, they'd like it restricted to software that appears pretty stable. Debian Testing is designed for people like this.
It sounds from your post that you cannot imagine people preferring a quirky, somewhat old, consistant distro over one kept up to date with bug fixes. I assure you that there is a large market for the stable distro, but if you are not in that market, there are plenty of others available.
Re:Boring jobs (Score:4, Insightful)
That out of the way, capitalism is about capitalizing labour; that is, putting people together that create more value than if they worked seperately. That is the fundamental reason why we CAN sell things; we're able to capitalize labour and create things for less cost than would be born upon people if everybody created said thing individually.
Statements like your are grossly off the mark. BSD licenses, any other open source licenses that allow you to use the source but not have to open up your own, have helped many a person make money. What folks like you fail to realize is that you use the term open source as if its a catch all for anybody creating software for free. In fact, irony of ironies, the patent system was designed to FORCE your methods and secrets in the open in return for protection from the government. So who's being anticapitalist now? The very tennants of innovation in capitalism are strongly tied to having people share information. The anti-capitalist yahoo's of whom you speak simply have a much broader, more historically acturate understanding of the balance between technological progress and motivation to innovate. I'm not against selling stuff, I'm not against capitalism, I'm simply suggesting that once the fear dies down in a decade or so, and code itself becomes more commoditized, it will be in the interest of those who wanna make a shit load of money to patent software based on the source, not a description of what the thing does.
Look at early patents; its not what you can do, its HOW you do it. Its the means, not the end. Nobody could patent the generation of electricity; only METHODs for generating electriciy. I predict that at the rate of current software patent filing, litigation will become too expensive for the market versus the costs of opening up source in order to protect your invention. I guess thats ironic, given people's fear of open source licenses.
Re:Ubuntu (Score:1, Insightful)
Re:Let it go Louie (Score:5, Insightful)
Bullshit. All the technically sweet linux distributions out there which use apt are more or less resting on debian's shoulders. If you watch the security changelogs - or the regular changelogs - of ubuntu packages, you'll see that nine out of ten get made by debian, adapted to ubuntu and thrown to the ubuntu servers. Some are just renamed to "-ubuntu" and passed on. And a very few are actually maintained by ubuntu themselves.
We can't move on. Much of the linux community depends on a well-functioning debian organization. They are lacking man-power to keep their security updates as fast as the multi-employee-distributions. That doesn't mean they're technically behind, and that we have something better to move to. Although the commercial distros would love that.
Re:How the mighty have fallen... (Score:5, Insightful)
It would be a hell of a lot easier if they only supported X86 architecture like all those other Distros you refer to as the ones to lag behind.
I think what they really suffer from, and I am not expert, is politics of a large system and the perception of lots of power sitting on top. I could be wrong.
Regardless of what anyone might want to say against Debian, I still believe that they are extremely good at what they do and don't get credit for it. There is no other distro out there that attempts to support as many architectures as effectively (or at all) and if Debian decided to just delete them all except X86/X86-64 then their job would be a hell of a lot easier to execute.
your not only a coward, but an.. (Score:2, Insightful)
asshat as well.
if linux users got what they paid for, they'd get nothing, you.. you..you bill hates follower.
I'd rather pay nothing, take that money and either put it towards a hardware router for security (just plug it in).. or save that money for something else fun..and set up a linux software firewall/router (easy, just point&click).
If people didn't have windoz forced on them when they buy in major oulets, they would get used to linux quicker.
at least with linux, when you put the effort into fixing it the way you want (note: linux at least has that option!), then we have a functional & hardened box.
I hope I didn't use tooo many big words there, mr coward :)
A lot of assumptions for a page and a half article (Score:4, Insightful)
Therefore, it would follow that if 4% of Debian packages had security vulnerabilities that would equate to a substantially greater number of packages than would the same 4% of Red Hat packages.
The other important thing to keep in mind is that it's unlikely many users would install all zillion packages at one time.
Finally, the article implies Debian and Red Hat are in competition. However, as literate geeks will know, Debian is the OS of "Software in the Public Interest" http://www.spi-inc.org/about [spi-inc.org] which is a non-profit entity. Therefore, while one could argue that Red Hat (a for-profit enterprise) and Debian are in competition for userbase, by no means are they in direct competition for 'business'.
*Debian website says "over 15490." Which begs the question, how many more than 15490? 15491?
Re:Now If This Was Microsoft... (Score:5, Insightful)
Debian security guys tend to have an attitude of trying to do things right. You're talking about the same people that chose to stop everything when they were compromised last year (and that was two days before a woody revision release). It's no surprise that people think of them as a good team without the necesary resources that need help. After all, they appear to do what they can with whatever resources they've got.
Microsoft, however, is known for turning a blind eye to big problems, trusting no one will find out and trying to NDA the hell out of everyone. Considering people pay big $$$ to them, and they do play dumb more often than they should, guess what the attitude toward them would be.
MS has been doing things a little better lately, but years of treating security like they did in the '90s aren't forgotten that easily.
I like Debian, and really hope they can solve their staff shortage. I wouldn't like them to go under because of this.
Re:Too many packages? (Score:3, Insightful)
I think that's precisely it.
I just left a job where all the Linux machines were running Debian Stable [Woody], unless there was a specific requirement for something else (e.g. a commercial application that wouldn't run reliably on anything but RHEL).
Everything was buggy as hell, but the admins were okay with this, because it was "stable". Desktop applications had thorougly well documented bugs or feature omissions that had been corrected upstream years ago, but if it wasn't available in stable (or maybe in backports.org [backports.org], then an upgrade was strictly out of the question.
Therefore, I was constantly explaining to new people why CUPS crashed all the time, or why getting Gaim to connect to the Jabber server was such a convoluted process, or why we couldn't run Thunderbird or Firefox because the standard builds required a newer version of libc than what was locally available. Etc. Ad nauseam.
The logic for Debian stable comes really close to making sense, without ever quite working. You should be able to install the current Debian stable on a system, deploy it, and aside from occasional security patches, it'll always maintain the same state it was in the day you deployed it.... warts and all. And that's the catch -- there's lots of grimy old warts in a lot of the packages that had upstream fixes months or even years ago, but none of this is available to you unless you're willing to [a] build your own packages (and forego the wonder that is apt-get), or [b] upgrade to Testing or Unstable (and abandon the promise of stability & consistency, which isn't without merit).
Debian Stable is a great idea. It's disappointing that the reality of living with Debian doesn't live up to the naive promise of that idea. I can see where it's just the thing for a server that you want to set up and then ignore for a nice, long, mostly reliable decade, but for anything that you plan to put on your desk and have to cope with from day to day, it's just painful to live with.
Re:Close: Switch to OS X (Score:3, Insightful)
No, not really. The kernel is Apple's own creation (Xnu, I think they call it, but I'm not positive on that). As I recall, it's a Mach-derived kernel. The user-space is all FreeBSD-based, but the core microkernel is not.
And Apple owns more than just the GUI. They own the APIs, too. You know, CoreFoundation, Cocoa, Carbon, all those fancy things that allow Mac developers to quickly and easily make all those wonderful programs.
Mac OS X is far, far more than simply FreeBSD with a proprietary window server...
Re:How the mighty have fallen... (Score:5, Insightful)
It might be better in some respects if Debian were x86 only like everybody else but we would all be poorer for it.
parent Flamebait (Score:4, Insightful)
Debian is much more than a distribution. And there is unfortunately nothing better than Debian (as in the distro) to move on to. There is a reason why many distributions are build on Debian.
Please point me to a distro that can manage version upgrades even half as gracefully as Debian.
There was a discussion about Ubuntu on Slashdot and it was argued that if Ubuntu continues to be diverge further from sid and stay incompatible it will eventually dissolve, because the team will never be able to support the huge package base.
I am a desktop Linux user that started out with Debian 2.1 Slink and I also have the feeling that Debian has had some major issues lately.
About the security issue:
Heise security published it first 10 days ago:
http://www.heise.de/newsticker/meldung/61076 [heise.de]
As a result of this a discussion on the Debian security mailing list ensued:
http://lists.debian.org/debian-security/2005/06/m
Heise Online then reported on that as a result of that discussion:
http://www.heise.de/newsticker/meldung/61125 [heise.de]
For those that can't read German the article says that of the five members that should make up the security team four are not active at the moment if they ever were. The only remain one is Martin Schulze aka Joey. He has been pretty busy with the organisation of the Linuxtag. So he was cut off from the action. Debian people are working on the problem.
Everyone that is not satiesfied with the current state of affairs should get their hand dirty helping instead of complaining. After all Debian forms the bases of "plenty of well-managed, technically sweet linux distributions out there".
Like Knoppis, Ubuntu or Xandros. Full list here:
http://www.debian.org/misc/children-distros [debian.org]
Here's why your wrong (Score:5, Insightful)
Your wrongly basing your entire arguement on the idea that OSS programmer(s)=loner(s) with other "real" jobs. That is simply not the case for many OSS projects. Commercial OSS companies like Red Hat, Suse/Novell, et al are and have been the driving force in OSS for some time now. Look at any big distro, any major software project etc and at this point chances are they are being bankrolled and supported by commercial copanies that are paying people to work on them and deal with things like security issues. And if a popular project has a security flaw that an author won't address, and distros won't fix because its not part of their distro...well you know the deal, use the source luke.
I see what your trying to say but again your arguement is flawed as "traditional" OSS development no longer means unpaid and non-commercial. I don't think that the people buying Red Hat linux and getting security support for years and years would share the same viewpoint. And I also don't think that commercial companies put more into security than OSS programmers do. History just doesn't show that.
For version
OSS is particulary well suited to dealing with security issues IMHO and the problems it has with security are more or less the same problems that commercial software makers face. Your floating down a well known river in Egypt if you think that in the commercial world all projects have people who are paid to soley to work on security.
Re:Close: Switch to OS X (Score:3, Insightful)
The lead post is titled "Debian Struggling With Security," in part because the Debian team is short-handed.
There are 200 or so Linux distros. But Open Source doesn't magically endow you with the organization, money and manpower needed to maintain any one of them.
4. Built for idiots that rather the computer maintain control. I, on the otherhand, like to control my computer.
George Eastman had a slogan: "You click the button, we do the rest." Once a technology becomes accessible to the masses, the hobbyist and his obsessions are driven to the margins. Calling your opponents idiots doesn't change a damn thing.