Security an ongoing problem for Debian

The issues recently surfaced when Debian released the latest version of its Linux distribution early in June, according to Martin Schulze, a member of the organisation's security team.

That release, Schulze wrote on his blog, caused configuration problems on the server which was responsible for distributing security updates -- and it hasn't been functioning properly since. "Several security updates aren't built on all architectures as they should be," the developer wrote only yesterday. "Currently, it's totally unreliable."

Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems.

The problems have seen Debian fall behind competitors like Red Hat in releasing updates to widely-used programs. For example, although spam-filtering package SpamAssassin was updated by its creator to fix a remote denial-of-service vulnerability on 6 June, Debian provided the update on 1 July, while Novell's SuSE got the fix a week earlier on 23 June, Gentoo Linux on the 21st and Red Hat's Fedora still earlier on the 16th.

A similar situation occurred when the 'sudo' package needed an update in mid-June. In addition a number of security-related bugs are listed on developer Joey Hess's Web site -- who works closely with the Debian security team -- as being unfixed, although the site also notes the data may be inaccurate as it is automatically generated.

Although Debian's infrastructure problems have not been as prominently discussed as the manpower issues on the project's mailing lists, giving some developers more authority is one idea that has been discussed as a way of speeding up the release of security updates.

As one developer put it: "The problem we're currently seeing isn't that the job is hard, but that only a very small number of people have the authority/ability to push the update out."

Another agreed, calling for the size of the security team to be increased from seven to 21.

• Related stories

• Alerts

Add your opinion

1. I thought open source patching in minutes or hours not months, maybe the promise leads the capability and many eyes do not make bugs shallow they just muddy the waters Anonymous -- 05/07/05

   I thought open source patching in minutes or hours not months, maybe the promise leads the capability and many eyes do not make bugs shallow they just muddy the waters

   • Reply to comment
   • Reply to story
   • Report offensive content

2. <a href="http://newraff.debian.org/~joeyh/stable-security.html">The link to stable issues</a> isn't Schultz's, it's from Joey Hess. Although the confusion is understandable. Anonymous -- 06/07/05

   <a href="http://newraff.debian.org/~joeyh/stable-security.html">The link to stable issues</a> isn't Schultz's, it's from Joey Hess.
   
   Although the confusion is understandable.

   • Reply to comment
   • Reply to story
   • Report offensive content

3. Joey Hess reaction to this article : http://kitenet.net/~joey/blog/entry/secfud-2005-07-06-11-28.html Anonymous -- 06/07/05

   Joey Hess reaction to this article :
   http://kitenet.net/~joey/blog/entry/secfud-2005-07-06-11-28.html

   • Reply to comment
   • Reply to story
   • Report offensive content

4. Renai LeMay, spinmaster for maximum readers This author is just enhancing the story to get maximum readership and effect. Plus ZDNet has a lot of stake in Windows continuing to do well, after all, whthout it there are going to be a lot less sec Anonymous -- 07/07/05

   Renai LeMay, spinmaster for maximum readers
   
   This author is just enhancing the story to get maximum readership and effect. Plus ZDNet has a lot of stake in Windows continuing to do well, after all, whthout it there are going to be a lot less security articles and other articles. Linux just doesn't have as many problems to write about. You have to manufacture some.

   • Reply to comment
   • Reply to story
   • Report offensive content

5. Get the facts: http://kitenet.net/~joey/blog/entry/secfud-2005-07-06-11-28.html Anonymous -- 07/07/05

   Get the facts:
   
   http://kitenet.net/~joey/blog/entry/secfud-2005-07-06-11-28.html

   • Reply to comment
   • Reply to story
   • Report offensive content

• Just In

• Most Popular

• Most Discussed

Hot Spot - What's Important

Driving Business Growth Through Enterprise IT Management
Dig deeper by clicking here »

Achieve continuous availability with high performance NonStop blade technology

Looking to buy a printer? Our superguide rates the latest printers and shines a light into the industry.

When chief information officers and other technology managers talk about their priorities, security is always high on the list.

Principles for a successful business

Reader Services

Popular Topics

Essentials