Language Selection

English French German Italian Portuguese Spanish

Debian struggling with security

Filed under
Security

Debian is facing difficulties getting timely security updates to users of its Linux distribution due to lack of manpower and software problems.

The issues recently surfaced when Debian released the latest version of its Linux distribution early in June, according to Martin Schulze, a member of the organisation's security team.

That release, Schulze wrote on his blog, caused configuration problems on the server which was responsible for distributing security updates -- and it hasn't been functioning properly since. "Several security updates aren't built on all architectures as they should be," the developer wrote only yesterday. "Currently, it's totally unreliable."

Lack of manpower also appears to be adding to Debian's security woes. Michael Stone, another member of Debian's security team, expressed his frustration to the organisation's security e-mail mailing list in mid-June, saying there was no effective tracking of security problems.

The problems have seen Debian fall behind competitors like Red Hat in releasing updates to widely-used programs. For example, although spam-filtering package SpamAssassin was updated by its creator to fix a remote denial-of-service vulnerability on 6 June, Debian provided the update on 1 July, while Novell's SuSE got the fix a week earlier on 23 June, Gentoo Linux on the 21st and Red Hat's Fedora still earlier on the 16th.

A similar situation occurred when the 'sudo' package needed an update in mid-June. In addition a number of security-related bugs are listed on Schulze's Web site as being unfixed, although the site also notes the data may be inaccurate as it is automatically generated.

Although Debian's infrastructure problems have not been as prominently discussed as the manpower issues on the project's mailing lists, giving some developers more authority is one idea that has been discussed as a way of speeding up the release of security updates.

As one developer put it: "The problem we're currently seeing isn't that the job is hard, but that only a very small number of people have the authority/ability to push the update out."

Another agreed, calling for the size of the security team to be increased from seven to 21.

Source.

More in Tux Machines

For AMD Users, Linux 4.2 Will Bring The New AMDGPU Driver & VCE1 For Radeon

Alex Deucher of AMD has filed his main pull request today for the Radeon DRM driver updates to be integrated in the upcoming Linux 4.2 kernel. Read more

IPFire 2.17 Update 90 Gets GeoIP-Based Blocking, Legacy Microsoft Hyper-V Support

The IPFire team had the pleasure of announcing earlier today, May 28, the immediate availability for download of IPFire 2.17 Core Update 90, a major version that brings a number of new features, updated packages, a new kernel, and various security enhancements. Read more

Relicensing Dolphin: The long road to GPLv2+

Since its resurfacing as an open source project in 2008, Dolphin has been licensed under the GNU General Public License version 2 (GPLv2). This license, created in 1991, is still a fairly common license used in the open source world. But as with anything that deals with technology, times are changing at a rapid rate. More recent projects are using GNU Public License version 3 and Apache 2.0, for their additional freedoms, protections from outside liability, and improved inter-license compatibility. Unfortunately these newer licenses are not compatible with GPLv2, and any project using these licenses cannot link to Dolphin and thus, Dolphin cannot link to them. Read more

U.S. Moodle Conference To Focus on Open Source in Education

The Twin Cities campus of the University of Minnesota will be hosting a Moodle conference sponsored by the main organization behind the Moodle project. "MoodleMoot US" will run Aug. 4-6 in Minneapolis and feature Moodle founder Martin Dougiamas as well as speakers from higher ed and K-12 sharing how they use open source tools, including the Moodle open source course management system, in education. Read more Also: Open source + big data = Apache: Big Data