Forgot your password?
typodupeerror
Debian Bug Software Linux

Debian Refuses To Push Timezone Update For NZ DST 435

Posted by kdawson
from the does-anyone-really-know-what-time-it-is dept.
Jasper Bryant-Greene writes "Although a tzdata release that includes New Zealand's recent DST changes (2007f) has been out for some time, Debian are refusing to push the update from testing into the current stable distribution, codenamed Etch, on the basis that 'it's not a security bug.' This means that unless New Zealand sysadmins install the package manually, pull the package from testing, or alter the timezone to 'GMT-13' manually, all systems running Debian Etch in New Zealand currently have the incorrect time, as DST went into effect this morning. As one of the last comments in the bug report says, 'even Microsoft are not this silly.' The final comment (at this writing), from madcoder, says 'The package sits in volatile for months. Please take your troll elsewhere.'"
This discussion has been archived. No new comments can be posted.

Debian Refuses To Push Timezone Update For NZ DST

Comments Filter:
  • by DrXym (126579) on Sunday September 30, 2007 @07:02AM (#20800369)
    Assuming there are, or even the possibility that one could be crafted, it seems quite justifiable to call this a security fix. And aside from that, it's just dumb not to include it.
  • by Anonymous Coward on Sunday September 30, 2007 @07:04AM (#20800379)
    They've taken a perfectly good distribution and absolutely destroyed its reputation thanks to their management's ineptitude.
  • by Anonymous Coward on Sunday September 30, 2007 @07:04AM (#20800383)
    Some systems may rely on the "wrong" timezone for their continued operation, so if it is indeed not a security update, and the policy for automatic updates is "security only", then not pushing the update is correct. If you need the timezone update, get it. It's not like they hide it from you.
  • by FudRucker (866063) on Sunday September 30, 2007 @07:05AM (#20800393)
    i would imagine anyone in New Zealand smart enough to install Debian is also smart enough to fix this manually...
  • by Anonymous Coward on Sunday September 30, 2007 @07:09AM (#20800411)
    In my opinion, Debian did the right thing here.

    This update is not security-related, so has no business being in the security update section. That's perfectly OK - Debian's security updates are completely safe to apply 99% of the time, because they do not change functionality. They only fix security bugs. Unlike Microsoft, Debian are not in the practice of shipping automatic updates that change functionality.

    The update has been posted to the volatile repository, which is intended for things that change frequently, like timezone data. It can be installed from there right now - any of these people complaining could have simply installed the patch at any time over the past several months. The update has also been pushed to the updates repository, for inclusion in the next point release of Etch.

    I don't see the problem here.
  • by Anonymous Coward on Sunday September 30, 2007 @07:09AM (#20800415)
    ..you can bet it would have been pushed through.
  • by Dr. Evil (3501) on Sunday September 30, 2007 @07:11AM (#20800425)

    Anyone who does business with New Zealand might not be aware of the change and the need to update their systems.

    E.g. sites hosting NZ content outside of NZ, or even banks doing business with customers in NZ.

    The change impacts the world and should be applied to all systems.

  • by Anonymous Coward on Sunday September 30, 2007 @07:12AM (#20800429)
    There may be, but this is just the time-zone. It doesn't change the UTC time.
  • by babbling (952366) on Sunday September 30, 2007 @07:19AM (#20800457)
    Debian have promised their users that only security updates will be rolled out and that they will not release any updates that change the normal behavior of programs. They do this because Debian gets run on lots of mission-critical servers where they don't want a program changing its behavior via an "update".

    Rolling clocks forward by two hours is a pretty huge change in behavior for some servers, and there isn't much of a security risk in not rolling out the update automatically, so they're not going to.

    They're doing the right thing.
  • latest is 2007g (Score:1, Insightful)

    by Anonymous Coward on Sunday September 30, 2007 @07:19AM (#20800461)
    Note that even 2007g is out since August this year, including timezone updates for Egypt and Australia.
  • by foxxer (630632) on Sunday September 30, 2007 @07:25AM (#20800479)
    All hail debian policy! It is the one true path! All who fail to see it's beauty are blinded by the devil! I dropped debian for my home machines and work systems a long time ago. Ubuntu rocks me. It's everything good about debian (apt-get) without everything bad (debian policy, debian usability).
  • I dont think the correct time is a bleeding edge feature is it?
  • by b0s0z0ku (752509) on Sunday September 30, 2007 @07:41AM (#20800543)
    abolish DST! It was silly in the early 1900s when the majority of workers worked in factories, mills, or on farms. It's sillier in 2007. Get rid of that stupidity once and for all.
  • by TW Atwater (1145245) on Sunday September 30, 2007 @07:44AM (#20800565)
    ...is daylight savings time.
  • WTF (Score:2, Insightful)

    by fmaresca (739871) on Sunday September 30, 2007 @07:46AM (#20800579)
    this article is about? It's about a sysadmin who's blaming Debian for not doing her job?
    As it's clearly pointed out in the bug report, this package:
    1) Has not a security bug, so does not belong to security-updates.
    2) Was in volatile for a long time.
    3) Is scheduled for the next release of etch.

    debian-volatile is a repository for this type of packages (as virus lists, tzdata, et alter) that has information/data changes/updates often. If your time zone has changed or it's about to change, it's your responsability as a sysadmin to upgrade the packages, not Debian's. There were not a bug in tzdata.

    Debian is one of the best distros out there, please contribute to make it even better by filling bug reports, but please take a minute to think about what you are doing, and read carefully the developers/mantainers posts or replys, because most of the time they're right.
  • by Anonymous Coward on Sunday September 30, 2007 @07:49AM (#20800597)
    Think of banks that calculate interest rates based on the account balance on midnight. If you have two banks and one of those is run under an unpatched Debian system, you can get twice the interest rate by transferring money back and forth between the banks at the right times.
  • by KiloByte (825081) on Sunday September 30, 2007 @07:50AM (#20800605)

    dropped debian for my home machines and work systems a long time ago. Ubuntu rocks me. It's everything good about debian (apt-get) without everything bad (debian policy, debian usability).
    Stability-wise:
    debian/stable > debian/testing > debian>unstable > ubuntu/released > debian/experimental > ubuntu/unreleased

    Thus, for a home desktop which can break most of the time and where you want the bling, you can afford to run Ubuntu.

    I do run Beryl at home, even though it breaks a lot. Beryl, not the new versions of Compiz which after all those months after merge are still a regression, both stability and usability wise. Yet, I wouldn't let it anywhere near a system which shouldn't break. Well, many people actually run Windows in places where stability matters, but I digress. And Ubuntu made Compiz the default...
  • by Anonymous Coward on Sunday September 30, 2007 @08:11AM (#20800745)
    I understand the reasoning behind putting it in volatile, but why not enable volatile by default during installation? The individuals who need to disable it will know how. And, most importantly, the individuals who don't have a clue how to enable it (most likely desktop users) will not have to worry about it. Remember, Debian aims to make their OS usable for everyone (a lofty goal but it is the project's goal nonetheless). However, it is not necessarily a requirement of that goal to force users to become masters of Debian's inner workings. Enabling volatile by default would lower the bar, albeit slightly, for part of the user base that Debian is chasing.
  • by b0s0z0ku (752509) on Sunday September 30, 2007 @08:21AM (#20800797)
    Therefore it is obvious that the sane thing to do is spend less instead of dealing with this stuff as if it was a simple cash flow problem.

    The same thing can be accomplished by shifting working/school hours as by fucking with what should be a constant frame of reference. Besides, if you want to save energy, there are better things to mandate -- CFL usage, tax all cars that make less than 30 mpg average at 100%, etc ...

    -b.

  • by Anonymous Coward on Sunday September 30, 2007 @08:23AM (#20800809)
    the real question is who do we blame this story on: kdawson or firehose?
  • by RAMMS+EIN (578166) on Sunday September 30, 2007 @08:33AM (#20800881) Homepage Journal
    This is what usually happens when something Debian-policy-related happens and is touted as silly:

    1. I think: How silly of them. Just like Debian to do something stubborn and annoying like that.
    2. Then I read the argumentation, the policy that led them to the decision.
    3. I find myself agreeing with the policy and thus accepting the decision as the Right Thing.
    4. I find someone, usually in the Debian project itself, has come up with a solution for those who don't like the decision.

    The more time passes, the more I like Debian. They have policies that are good and they stick to them. When the policy causes them to do something that people don't like, they provide a workaround. With Debian, you can have your cake and eat it. Exclusively free software? Check. Proprietary software when you do want it? Check. Stable system that stays the same for years? Check. Recent versions of packages when you want them? Check. Support in the package manager for mixing and matching? Check. Oh, and they had dependencies figured out and working well long before any other distro I'm aware of. Debian isn't perfect, but it comes frighteningly close sometimes.
  • by RodgerDodger (575834) on Sunday September 30, 2007 @08:57AM (#20801045)
    Ah... found it (and in a link from the FA, as well... go figure). The US DST changes, according to this bug report [debian.org] went into tzdata2006p - which, sure enough, got the changelog [debian.org] got pushed to stable Nov 28.

    So that does beg the question - if it's okay to do it for the US, why not NZ?
  • Re:My god! (Score:2, Insightful)

    by Domstersch (737775) <dominics.gmail@com> on Sunday September 30, 2007 @09:00AM (#20801077) Homepage

    What rubbish. New Zealand's technology industry is more significant to its citizens than the US technology industry is to Americans. As a small country, New Zealand's economy relies more on technological innovation than big countries do, with their natural resources and primary production. I'm not just talking about the famous examples (the electric fence, Rakon) either, but a constant push for more efficient and more valuable secondary production.

    Or by significant did you mean significant to you and you alone? Who made you Captain of Industry?

    Your guess about the few dozen people is also wrong. I, personally, just me, know a few dozen Kiwi Debian users, and I wouldn't say that's even close to the number that live in my suburb. Free software adoption is alive and well down under - it goes well with the 'number 8 wire' tinkering mentality that is a well-established part of New Zealand culture (Burt Munro and all that).

    None of that is to say Debian should break policy - I agree that volatile is where these updates belong. But the arguments you give in favour of the status quo are bullshit.

  • by Andy Dodd (701) <.ude.llenroc. .ta. .7dta.> on Sunday September 30, 2007 @09:06AM (#20801111) Homepage
    "This update is not security-related"

    Yes, in fact, it is. Have you ever heard of log timestamps?
  • This _is_ debian (Score:3, Insightful)

    by squidinkcalligraphy (558677) on Sunday September 30, 2007 @09:30AM (#20801261)
    This is debian, and there is a simple command-line based solution. Debian isn't aimed at grannies or the average corporate joe. Its primary user base is geeks and sysadmins who need rock-solid systems. And it does a damn good job of that. It also servers as a great reference implementation for others (ubuntu, et al) to customise and optimise for more specific uses.
  • by jrumney (197329) on Sunday September 30, 2007 @10:06AM (#20801503) Homepage

    In my opinion, Debian did the right thing here.

    That would imply they did the wrong thing last year, when they released patches for the U.S. timezone rule changes in stable for both etch and sarge. And a quote from a Debian developer in March this year:

    Third, Something like a change in daylight savings time is of sufficient importance that the stable release is updated in order to prevent breakages. Sarge got the updated late last year.
  • by Wdomburg (141264) on Sunday September 30, 2007 @10:13AM (#20801555)
    But nothing else will change a bit. 0% chance that an upgrade may break your configuration file. 0% risks that all the scripts that you manually wrote will suddenly stop functionning because of subtle differences between version 1.8.6.9 and 1.8.6.10 in some obscure software.

    And a 100% chance that a change in your timezone will cause your servers to suddenly have the wrong time (assuming default configuration).

    No thanks, I'll stick to a platform with a more sane balance between platform stability and not breaking things.
  • by Ultra64 (318705) on Sunday September 30, 2007 @10:36AM (#20801711)
    Maybe he said 'fucking' because he fucking wanted to.
  • by TheDormouse (614641) on Sunday September 30, 2007 @10:52AM (#20801817)
    I think the participle fucking quite succinctly and accurately described the combination of amazement and frustration the author of the post intended to convey. It really is a useful word that can express complex emotion concisely: truly in the spirit of Strunk & White's rule 13.
  • by dctoastman (995251) on Sunday September 30, 2007 @11:44AM (#20802147) Homepage
    People who reduce themselves to bitching about curse words contribute nothing to the conversation at hand.
  • by tylernt (581794) on Sunday September 30, 2007 @11:47AM (#20802171)
    I solved this problem by changing wholesale to GMT/UTC on all of our servers, Linux and Windows. Now we never have to worry about another stupid DST or TZ change again, including MS charging $4K for a patch that should be free. It also makes life easier for people outside our TZ who use our servers.

    I just learned that I go to work at 3pm in the morning and head home at 11pm. It's not hard. I wish the world would switch to GMT, it would make everything so much easier. Businesses can have summer hours if they wish to take advantage of the longer days.

    Of course, the desktops are all still on local time. There would be a pitchforks-and-torches uprising if you tried to change that. ;)
  • by HardCase (14757) on Sunday September 30, 2007 @12:04PM (#20802299)
    Debian isn't aimed at grannies or the average corporate joe. Its primary user base is geeks and sysadmins who need rock-solid systems.

    The title of www.debian.org: "Debian -- The Universal Operating System".
  • Re-read the parent: Logfile timestamps, for the most part, are written as character data translated by the operating system at the time of the event. One exception are wtmp files, which are written in binary format and read by other programs, e.g., last(1). However, syslogd does the translation on the fly, and therefore writes its messages per the current timezone setting, viz:

    Feb 27 01:01:04 umbc9 syslogd: restart
    Feb 27 01:01:14 umbc9 telnetd[1803]: connect from annex3.umbc.edu
    Feb 27 01:02:15 umbc9 rlogind[1845]: connect from annex1.umbc.edu
    Feb 27 01:02:44 umbc9 lpd[1879]: /usr/adm/acsps-errs: No such file or
        directory
    Feb 27 01:07:08 umbc9 telnetd[1914]: connect from annex1.umbc.edu
    Feb 27 01:08:06 umbc9 rlogind[1946]: connect from annex1.umbc.edu
    Feb 27 01:10:28 umbc9 rshd[1985]: connect from xxxx@deputy.cs.umbc.edu
    Feb 27 01:10:30 umbc9 rlogind[1993]: connect from xxxx@deputy.cs.umbc.edu
    Feb 27 01:13:01 umbc9 sendmail[2042]: BAA02041: to=xzy@picard.cs.wisc.edu,
      delay=00:00:02, mailer=nullclient, relay=mailhub1.gl.umbc.edu. (130.85.3.11),
      stat=Sent (BAA04370 Message accepted for delivery)

    Note that this example does not include the timezone; most UNIX implementations do, so at least the logs can be transposed to reflect one's own timezone.

    The impact is skewing of post-event analysis of messages in logs. While I agree with the value of your presumption, i.e., logs could be written with timestamps expressed as offsets from the epoch, it's not the way things are done at present. OTOH, if the analysis is crucial, it's trivial to write a [Perl|Tcl] script to filter the logs for less error-prone analysis.

    I happen to have written a small app recently to log events with the timestamps written as epoch offsets, because the people who use the logs are in different timezones and want to understand the events' occurrences in their own timezone.
  • by Chris Snook (872473) on Sunday September 30, 2007 @01:15PM (#20802707)
    Several security protocols mandate close time synchronization to minimize the risk of replay attacks, so failure to deploy this time zone change causes a denial of service. In particular Kerberos is impacted, and increasing the permissible time skew by a few orders of magnitude on every box in the domain, which not all implementations support, creates a substantial risk unless you're set up for ticket pre-authentication, which puts a greater load on the server, is not well supported by all clients, and is thus often not enabled. Admittedly, if you're using a network of Debian stable machines, you should be okay, but god forbid someone should use a Debian stable box in an Active Directory deployment.

    Similar problems may exist for SSL (https, ldaps, imaps anyone?) but I'm not sure if a one hour difference would exceed the tolerance in many applications.

    Disclaimer: I work for a commercial distributor.
  • by myowntrueself (607117) on Sunday September 30, 2007 @01:59PM (#20803005)
    This is the debian *STABLE* branch. In testing I imagine they would do it quickly...well, within a week.

    Sure, and if you want to put up with the possibility that, eg, trying to use tab-completion will cause your shell to dump core then, by all means, use testing.

    'Stable' cannot, in the real-world really mean 'nothing changes except security updates'. The world does not work like that, as this demonstrates.
  • by dondelelcaro (81997) <don@donarmstrong.com> on Sunday September 30, 2007 @01:59PM (#20803007) Homepage Journal

    So pray explain why they pushed a timezone update for the US changes earlier in the year?

    It's not that the updates aren't going to be made, it's just that they're made via point releases, not security updates because they aren't a security bug.

    If you don't want to wait for a point release, the packages have been made available already via volatile and the backports area. It's trivial to add these to your sources.list and install the updated package.

    the reputation of Debian is being ruined by the ineptitude and down right stupidity of the management.

    You seem to not understand how Debian actually works. The management of Debian, such as it is, are the actual developers; the people who actually sit down and do the work. If you don't like the decisions that they make, you have two choices: jump in and help out or choose to use something different. The former will enable you to make decisions in the areas you work in, the latter means hoping that someone else is going to make decisions that you agree with. Choose whichever you prefer; presuming to dictate to those who actually are doing the work isn't one of those choices.

  • by Blkdeath (530393) on Sunday September 30, 2007 @02:36PM (#20803255) Homepage

    I agree with you but I'm having difficulty imagining a specific attack scenario...

    No, the solution is to drop the "security" red herring altogether and concentrate on the truth of the matter. This update is small, simple, and critical in an international economy. It should go without saying that it should be a mandatory, top of the list update for all systems regardless of their status in some bureaucratic development cycle.

    Forget the analogies of web browsers, MP3 players, web servers, e-mail clients, IM clients or any of the other thousands of software packages that could in whatever small or large way affect the system and concentrate on this; this update is in force by a major political body recognized around the world. It is fact and computers should at all costs follow the guidelines set by the Real World governing entities. Period. Full Stop.

    For any developer to be pedantic enough to marginalize this as "non security" and therefore refuse to put it into the mandatory update pool is harmful and highly irresponsible. Said developer(s) should be reprimanded, not lauded.

    For all those reading these threads and responding that a simple command-line update is the proper solution are short sighted and elitist. Not to sound too cliche, but this is just another example of why Linux / FOSS users and advocates are looked down upon by the real forces in the computer industry and why Linux will never be a mainstream standard. Get off your high horses and realize that just because something is usable by the masses doesn't make it technically inferior nor does it make you any less of a geek because you didn't have to hand-roll your latest update.

  • by Blkdeath (530393) on Sunday September 30, 2007 @07:48PM (#20805193) Homepage

    BTW, adding 1 line to your /etc/apt/sources.list seems a fairly simple way to get the patch, so what *is* the problem here? Don't want to understand how your OS deals with certain things, then don't use Debian.

    There's a lot I don't understand about the things I use in my day to day life but I still use them. Micro-managing one's operating system is a foolish waste of time and loss of productivity. My operating system exists to grant me access to the tools I've installed to perform tasks relevant to my daily life and career. This is something that should be done right the first time without any political nonsense getting in the way. A timezone patch not stable? Now I've heard it all. Next thing you know my /etc/issue file will be unstable.

  • by brad-x (566807) <brad@brad-x.com> on Sunday September 30, 2007 @09:33PM (#20805883) Homepage

    If you can't live with the way debian stable releases work choose another distro.
    Many organizations have and will continue to do so. Thanks for the advice.

    If you can't manage your IT infrastructure such that deploying local patches is not unreasonably difficult fire your IT staff.
    When backports and patches amass to the point where a smooth upgrade path to the next major release is no longer possible, it's time to start laughing at the militant ignorance of the distribution's maintainers and adherents.

When I left you, I was but the pupil. Now, I am the master. - Darth Vader

Working...