Security an ongoing problem for Debian

Debian is facing difficulties getting timely security updates to users of its Linux distribution due to lack of manpower and software problems.

The issues recently surfaced when Debian released the latest version of its Linux distribution early in June, according to Martin Schulze, a member of the organisation's security team.

That release, Schulze wrote on his blog, caused configuration problems on the server which was responsible for distributing security updates -- and it hasn't been functioning properly since. "Several security updates aren't built on all architectures as they should be," the developer wrote only yesterday. "Currently, it's totally unreliable."

Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems.

The problems have seen Debian fall behind competitors like Red Hat in releasing updates to widely-used programs. For example, although spam-filtering package SpamAssassin was updated by its creator to fix a remote denial-of-service vulnerability on 6 June, Debian provided the update on 1 July, while Novell's SuSE got the fix a week earlier on 23 June, Gentoo Linux on the 21st and Red Hat's Fedora still earlier on the 16th.

A similar situation occurred when the 'sudo' package needed an update in mid-June. In addition a number of security-related bugs are listed on developer Joey Hess's Web site -- who works closely with the Debian security team -- as being unfixed, although the site also notes the data may be inaccurate as it is automatically generated.

Although Debian's infrastructure problems have not been as prominently discussed as the manpower issues on the project's mailing lists, giving some developers more authority is one idea that has been discussed as a way of speeding up the release of security updates.

As one developer put it: "The problem we're currently seeing isn't that the job is hard, but that only a very small number of people have the authority/ability to push the update out."

Another agreed, calling for the size of the security team to be increased from seven to 21.

Advertisement

Print feature brought to you by Hewlett Packard

Talkback 5 comments

    I thought open source patching in minutes or hours not months, maybe the promise leads the capability and many eyes do not make bugs shallow they just muddy the watersAnonymous -- 05/07/05

    I thought open source patching in minutes or hours not months, maybe the promise leads the capability and many eyes do not make bugs shallow they just muddy the waters

    <a href="http://newraff.debian.org/~joeyh/stable-security.html">The link to stable issues</a> isn't Schultz's, it's from Joey Hess. Although the confusion is understandable.Anonymous -- 06/07/05

    <a href="http://newraff.debian.org/~joeyh/stable-security.html">The link to stable issues</a> isn't Schultz's, it's from Joey Hess.

    Although the confusion is understandable.

    Joey Hess reaction to this article : http://kitenet.net/~joey/blog/entry/secfud-2005-07-06-11-28.htmlAnonymous -- 06/07/05

    Joey Hess reaction to this article :
    http://kitenet.net/~joey/blog/entry/secfud-2005-07-06-11-28.html

    Renai LeMay, spinmaster for maximum readers This author is just enhancing the story to get maximum readership and effect. Plus ZDNet has a lot of stake in Windows continuing to do well, after all, whthout it there are going to be a lot less secAnonymous -- 07/07/05

    Renai LeMay, spinmaster for maximum readers

    This author is just enhancing the story to get maximum readership and effect. Plus ZDNet has a lot of stake in Windows continuing to do well, after all, whthout it there are going to be a lot less security articles and other articles. Linux just doesn't have as many problems to write about. You have to manufacture some.

    Get the facts: http://kitenet.net/~joey/blog/entry/secfud-2005-07-06-11-28.htmlAnonymous -- 07/07/05

    Get the facts:

    http://kitenet.net/~joey/blog/entry/secfud-2005-07-06-11-28.html

Add your opinion


Latest Videos

Blogs

  • David Braue Will Rudd's bush backhaul bonanza deliver?
    Rural areas will be welcoming the government's decision to put its money where its politicising is, funnelling $250m into a regional fibre upgrade to six rural centres. Remedying over a decade of near-neglect at the hands of telecoms privatisation, the investment could be the firmest step yet for Labor's NBN dream — but with inevitable political questions and a looming election, Rudd and Conroy need to deliver, and quickly, to preserve the NBN's credibility.
  • Array Doing for AV what VoIP did for telephony
    Sydney-based start-up Audinate is making traditional analog cabling obsolete in favour of TCP/IP-based networking technology. And it's doing a pretty good job so far, with its technology used by World Youth Day and the Sydney Opera House.
  • Array WiMax in Australia: Part two
    WiMax could be the standard that drives the next phase of mobile broadband, it provides an opportunity for players wanting to establish a pure IP network to carry voice and data effectively — but is this what operators want?
  • More blogs »

Tags

  1. 467 articles are tagged with 3g
  2. 5 articles are tagged with 3g s
  3. 7 articles are tagged with 3gs
  4. 430 articles are tagged with accc
  5. 72 articles are tagged with act
  6. 22 articles are tagged with anao
  7. 1250 articles are tagged with apple
  8. 129 articles are tagged with ato
  9. 35 articles are tagged with audit
  10. 18 articles are tagged with backhaul
  11. 1260 articles are tagged with broadband
  12. 194 articles are tagged with budget
  13. 8 articles are tagged with cenitex
  14. 202 articles are tagged with ceo
  15. 52 articles are tagged with cepu
  16. 638 articles are tagged with cio
  17. 125 articles are tagged with competition
  18. 188 articles are tagged with conroy
  19. 117 articles are tagged with contract
  20. 20 articles are tagged with david thodey
  21. 50 articles are tagged with e-health
  22. 1017 articles are tagged with google
  23. 968 articles are tagged with government
  24. 764 articles are tagged with hp
  25. 1271 articles are tagged with ibm
  26. 331 articles are tagged with iphone
  27. 267 articles are tagged with isp
  28. 725 articles are tagged with jobs
  29. 1418 articles are tagged with microsoft
  30. 32 articles are tagged with minchin
  31. 1097 articles are tagged with mobile
  32. 324 articles are tagged with mobile phone
  33. 144 articles are tagged with national broadband network
  34. 255 articles are tagged with nbn
  35. 175 articles are tagged with nsw
  36. 835 articles are tagged with optus
  37. 141 articles are tagged with police
  38. 149 articles are tagged with queensland
  39. 2619 articles are tagged with security
  40. 138 articles are tagged with smartphone
  41. 1270 articles are tagged with software
  42. 134 articles are tagged with stephen conroy
  43. 159 articles are tagged with sydney
  44. 89 articles are tagged with tasmania
  45. 216 articles are tagged with telco
  46. 2271 articles are tagged with telstra
  47. 97 articles are tagged with union
  48. 150 articles are tagged with victoria
  49. 312 articles are tagged with vodafone
  50. 69 articles are tagged with windows 7

Back to top

Featured