Language Selection

English French German Italian Portuguese Spanish

Debian struggling with security

Filed under
Security

Debian is facing difficulties getting timely security updates to users of its Linux distribution due to lack of manpower and software problems.

The issues recently surfaced when Debian released the latest version of its Linux distribution early in June, according to Martin Schulze, a member of the organisation's security team.

That release, Schulze wrote on his blog, caused configuration problems on the server which was responsible for distributing security updates -- and it hasn't been functioning properly since. "Several security updates aren't built on all architectures as they should be," the developer wrote only yesterday. "Currently, it's totally unreliable."

Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems.

The problems have seen Debian fall behind competitors like Red Hat in releasing updates to widely-used programs. For example, although spam-filtering package SpamAssassin was updated by its creator to fix a remote denial-of-service vulnerability on 6 June, Debian provided the update on 1 July, while Novell's SuSE got the fix a week earlier on 23 June, Gentoo Linux on the 21st and Red Hat's Fedora still earlier on the 16th.

A similar situation occurred when the 'sudo' package needed an update in mid-June. In addition a number of security-related bugs are listed on Schulze's Web site as being unfixed, although the site also notes the data may be inaccurate as it is automatically generated.

Although Debian's infrastructure problems have not been as prominently discussed as the manpower issues on the project's mailing lists, giving some developers more authority is one idea that has been discussed as a way of speeding up the release of security updates.

As one developer put it: "The problem we're currently seeing isn't that the job is hard, but that only a very small number of people have the authority/ability to push the update out."

Another agreed, calling for the size of the security team to be increased from seven to 21.

Source.

More in Tux Machines

Events: OpenStack Summit Vancouver, IBM Index, Eclipse CheConf 2018

  • OpenStack Summit Vancouver '18: Vote for Speakers
    The next OpenStack Summit takes place again in Vancouver (BC, Canada), May 21-25, 2018. The "Vote for Presentations" period started. All proposals are up for community votes. The deadline for your vote is will end February 25 at 11:59pm PST (February 26th at 8:59am CET)
  • IBM Index: A Community Event for Open Source Developers
    The first-ever INDEX community event, happening now in San Francisco, is an open developer conference featuring sessions on topics including artificial intelligence, machine learning, analytics, cloud native, containers, APIs, languages, and more.
  • Eclipse CheConf 2018 – Join the live stream February 21st at 10 am EST
    2017 was a fantastic year for the Che project, with more contributors, more commits, and more usage – this solidified Che’s position as the leading developer workspace server and browser IDE. Eclipse Che users logged over 7 million hours of public Che usage (plus more in private installs). We’ll discuss the growing cloud development market, Che’s position in it, and the exciting changes we’re planning for 2018.

Kernel News and Linux Foundation

  • Linux Kernel Module Growth
    The Linux kernel grows at an amazing pace, each kernel release adds more functionality, more drivers and hence more kernel modules. I recently wondered what the trend was for kernel module growth per release, so I performed module builds on kernels v2.6.24 through to v4.16-rc2 for x86-64 to get a better idea of growth rates...
  • A Linux Kernel Driver Is Being Worked On For Valve's Steam Controller
    Right now to make most use of the Steam Controller on Linux you need to be using the Steam client while there have been independent user-space programs like SC-Controller to enable Steam Controller functionality without the Steam client running. A new and independent effort is a Linux kernel driver for the Steam Controller. Through reverse-engineering, Rodrigo Rivas Costa has been developing a kernel driver for the Valve Steam Controller. This driver supports both USB cable and USB wireless adapters for the Steam Controller. This driver is being developed as a proper HID kernel driver so it should work with all existing Linux programs and doesn't require the use of the proprietary Steam client.
  • AT&T Puts Smart City IoT 'Edge' Computing On Direct Dial
  • Linux Foundation, AT&T Launch Akraino

Red Hat News and New Fedora 27 Live ISOs

Software: funny-manpages, Nginx, Cockpit and More

  • Have a Laugh With Funny Linux Man Pages
    There is a package unsurprisingly called funny-manpages and it adds some witty entries to the man pages.
  • HTTP/2 Server Push Directives Land in Nginx 1.13.9
    The open source Nginx 1.13.9 web server debuted today, providing support for a new HTTP/2 standard feature known as Server Push. The HTTP/2 web standard was completed three years ago in February 2015, with Nginx ahead of the curve in terms of HTTP/2 standard adoption. The NGINX Plus R7 release in September 2015 featured the first commercially supported enterprise-grade support provided by Nginx for HTTP/2.
  • Cockpit 162
    Cockpit is the modern Linux admin interface. We release regularly. Here are the release notes from version 162.
  • 6 Best Linux Music Players That Every User Must Try — (2018 Edition)
    Watching movies and playing music is one of the primary entertainment purposes served by our computers. So, when you move to a new operating system, it makes perfect sense if you look for useful media players. In the past, we’ve already told you about the best video players for Linux and, in this article, we’ll be telling you about the best music players for Linux-based operating systems. Let’s take a look at them:
  • CPod (formerly Cumulonimbus) – A Beautiful Podcast App
    Today, we introduce a somewhat new podcast application that is simple and yet delivers efficiently across all 3 desktop platforms. CPod, (formerly known as Cumulonimbus), is an electron-based podcast app player for audiobook and podcast lovers.
  • Apper 1.0.0 is out!
    Apper the package/apps manager based on PackageKit has got it’s 1.0.0 version on it’s 10th birthday!
  • VidCutter – Quickly Trim and Join Video Clips
    VidCutter is an open-source cross-platform video editor with which you can quickly trim and join video clips. It is Python and Qt5-based, uses FFmpeg for its encoding and decoding operations, and it supports all the popular video formats not excluding FLV, MP4, AVI, and MOV. VidCutter boasts a customizable User Interface that you can personalize using themes and a plethora of settings that you can tweak to make your video editing environment more appealing.
  • Weblate 2.19.1
  • Tusk Evernote Client Updated, Is Now Available as a Snap
    The Tusk Evernote client is now available as a Snap. We spotlighted the unofficial Evernote app last year, finding that it added to and improved on the standard Evernote web app in a number of ways.