Language Selection

English French German Italian Portuguese Spanish

Debian struggling with security

Filed under

Debian is facing difficulties getting timely security updates to users of its Linux distribution due to lack of manpower and software problems.

The issues recently surfaced when Debian released the latest version of its Linux distribution early in June, according to Martin Schulze, a member of the organisation's security team.

That release, Schulze wrote on his blog, caused configuration problems on the server which was responsible for distributing security updates -- and it hasn't been functioning properly since. "Several security updates aren't built on all architectures as they should be," the developer wrote only yesterday. "Currently, it's totally unreliable."

Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems.

The problems have seen Debian fall behind competitors like Red Hat in releasing updates to widely-used programs. For example, although spam-filtering package SpamAssassin was updated by its creator to fix a remote denial-of-service vulnerability on 6 June, Debian provided the update on 1 July, while Novell's SuSE got the fix a week earlier on 23 June, Gentoo Linux on the 21st and Red Hat's Fedora still earlier on the 16th.

A similar situation occurred when the 'sudo' package needed an update in mid-June. In addition a number of security-related bugs are listed on Schulze's Web site as being unfixed, although the site also notes the data may be inaccurate as it is automatically generated.

Although Debian's infrastructure problems have not been as prominently discussed as the manpower issues on the project's mailing lists, giving some developers more authority is one idea that has been discussed as a way of speeding up the release of security updates.

As one developer put it: "The problem we're currently seeing isn't that the job is hard, but that only a very small number of people have the authority/ability to push the update out."

Another agreed, calling for the size of the security team to be increased from seven to 21.


More in Tux Machines

Slackel Linux: Not Your Father's Slackware

You might think of the Slackel distro as a better Slackware derivative. Slackware dates back to 1992. By comparison, well-known and well-used distros such as Ubuntu, Fedora and Linux Mint were introduced in the mid-2000s. So Slackware is among the oldest actively maintained Linux distros. Despite its longevity, it has not joined more modern Linux offspring in terms of user friendliness. Read more

Android 6.0 Marshmallow Review: Google Outsmarts Apple By Guessing Your Next Move

It may seem like a big decision, but something tells me the service arms race is going to be a lot like the feature race. Google has the nose on Apple with Google Now on Tap until… Apple figures out a way to borrow it. Read more

Red Hat News

IBM releases Power-based Linux servers with Nvidia GPUs

The Power Systems LC line was introduced by Dr Stefanie Chiras, director and business line executive of IBM scale-out Power Systems, as part of her keynote on the subject of 'waitless computing'. IBM, as a patron of the OpenPower Foundation, has been a staunch supporter of Linux and OpenStack, and this represents a logical step for the company, as it has been building its Power line following the sale of its x86 server business to Lenovo in 2014. Read more