Language Selection

English French German Italian Portuguese Spanish

Debian addresses security concerns

Filed under
Linux

The organization's security team has issued a host of announcements and informed the community it has resolved problems with the infrastructure governing security updates.

"There were several issues with the security infrastructure after the release of Sarge [aka Debian 3.1] that led to the Debian security team being unable to issue updates to vulnerable packages. These issues have been fully resolved, and the infrastructure is working correctly again," it said in a statement issued this afternoon.

Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures.

It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said in an e-mail to developers. He admitted the organisation had been "sluggish" in the area recently and said the focus would now be on ensuring Debian was not plagued with such problems again.

He said an inquiry -- to be conducted by developer Andreas Barth -- would allow the organisation to attack weak points.

"One thing I'd like to see is better documentation of the internal workings of the security update process," he wrote. "With a broader understanding of the security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful."

Robinson said he expects to spend a lot of time talking about the security issue to Debian developers and representatives of the user community at the upcoming sixth annual Debian developer conference on July 10 in Helsinki, Finland.

"Many people have stepped forward in public or in private to offer us assistance with ensuring that this problem does not recur," he said, "and that Debian upholds its valuable reputation as a consistent provider of timely security updates to its users."

"I regret the interruption of this service, but with so many people determined to apply their skills to this facet of our responsibilities, I'm confident that we can prevent its recurrence."

Robinson said after "extensive conversations with many people", he suspected two factors were at the heart of Debian's security woes.

Firstly, he said the security team had not been given enough manpower to deal with the demands being placed on it. In addition, there was a failure in the process of actually distributing security updates that were ready to go out.

In the statement issued this afternoon, Debian warned users against installing packages from the "sarge-proposed-updates" suite, as some Web sites had been advocating as a temporary fix before official updates became available.

"Those packages are currently under development and may not work properly," the statement said. "In addition, those packages may not provide users with timely security fixes."

By Renai LeMay
ZDNet Australia

More in Tux Machines

Linux Mint 18.1 Is The Best Mint Yet

The hardcore Linux geeks won’t read this article. They’ll skip right past it… They don’t like Linux Mint much. There’s a good reason for them not to; it’s not designed for them. Linux Mint is for folks who want a stable, elegant desktop operating system that they don’t want to have to constantly tinker with. Anyone who is into Linux will find Mint rather boring because it can get as close to the bleeding edge of computer technology. That said, most of those same hardcore geeks will privately tell you that they’ve put Linux Mint on their Mom’s computer and she just loves it. Linux Mint is great for Mom. It’s stable, offers everything she needs and its familiar UI is easy for Windows refugees to figure out. If you think of Arch Linux as a finicky, high-performance sports car then Linux Mint is a reliable station wagon. The kind of car your Mom would drive. Well, I have always liked station wagons myself and if you’ve read this far then I guess you do, too. A ride in a nice station wagon, loaded with creature comforts, cold blowing AC, and a good sound system can be very relaxing, indeed. Read more

Make Gnome 3 more accessible for everyday use

Gnome 3 is a desktop environment that was created to fix a problem that did not exist. Much like PulseAudio, Wayland and Systemd, it's there to give developers a job, while offering no clear benefit over the original problem. The Gnome 2 desktop was fast, lithe, simple, and elegant, and its replacement is none of that. Maybe the presentation layer is a little less busy and you can search a bit more quickly, but that's about as far as the list of advantages goes, which is a pretty grim result for five years of coding. Despite my reservation toward Gnome 3, I still find it to be a little bit more suitable for general consumption than in the past. Some of the silly early decisions have been largely reverted, and a wee bit more sane functionality added. Not enough. Which is why I'd like to take a moment or three to discuss some extra tweaks and changes you should add to this desktop environment to make it palatable. Read more

When to Use Which Debian Linux Repository

Nothing distinguishes the Debian Linux distribution so much as its system of package repositories. Originally organized into Stable, Testing, and Unstable, additional repositories have been added over the years, until today it takes more than a knowledge of a repository's name to understand how to use it efficiently and safely. Debian repositories are installed with a section called main that consists only of free software. However, by editing the file /etc/apt/sources.list, you can add contrib, which contains software that depends on proprietary software, and non-free, which contains proprietary software. Unless you choose to use only free software, contrib and non-free are especially useful for video and wireless drivers. You should also know that the three main repositories are named for characters from the Toy Story movies. Unstable is always called Sid, while the names of Testing and Stable change. When a new version of Debian is released, Testing becomes Stable, and the new version of Testing receives a name. These names are sometimes necessary for enabling a mirror site, but otherwise, ignoring these names gives you one less thing to remember. Read more

Today in Techrights