Language Selection

English French German Italian Portuguese Spanish

Debian addresses security concerns

Filed under
Linux

The organization's security team has issued a host of announcements and informed the community it has resolved problems with the infrastructure governing security updates.

"There were several issues with the security infrastructure after the release of Sarge [aka Debian 3.1] that led to the Debian security team being unable to issue updates to vulnerable packages. These issues have been fully resolved, and the infrastructure is working correctly again," it said in a statement issued this afternoon.

Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures.

It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said in an e-mail to developers. He admitted the organisation had been "sluggish" in the area recently and said the focus would now be on ensuring Debian was not plagued with such problems again.

He said an inquiry -- to be conducted by developer Andreas Barth -- would allow the organisation to attack weak points.

"One thing I'd like to see is better documentation of the internal workings of the security update process," he wrote. "With a broader understanding of the security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful."

Robinson said he expects to spend a lot of time talking about the security issue to Debian developers and representatives of the user community at the upcoming sixth annual Debian developer conference on July 10 in Helsinki, Finland.

"Many people have stepped forward in public or in private to offer us assistance with ensuring that this problem does not recur," he said, "and that Debian upholds its valuable reputation as a consistent provider of timely security updates to its users."

"I regret the interruption of this service, but with so many people determined to apply their skills to this facet of our responsibilities, I'm confident that we can prevent its recurrence."

Robinson said after "extensive conversations with many people", he suspected two factors were at the heart of Debian's security woes.

Firstly, he said the security team had not been given enough manpower to deal with the demands being placed on it. In addition, there was a failure in the process of actually distributing security updates that were ready to go out.

In the statement issued this afternoon, Debian warned users against installing packages from the "sarge-proposed-updates" suite, as some Web sites had been advocating as a temporary fix before official updates became available.

"Those packages are currently under development and may not work properly," the statement said. "In addition, those packages may not provide users with timely security fixes."

By Renai LeMay
ZDNet Australia

More in Tux Machines

Open source SDR SBC runs Snappy Ubuntu on Cyclone V

The open source, $299 “LimeSDR” board runs Snappy Ubuntu Core on a Cyclone V, and supports user-defined radios ranging from ZigBee to LTE. UK-based Lime Microsystems, which develops field programmable RF (FPRF) transceivers for wireless broadband systems, has launched an open source software defined radio (SDR) board on CrowdSupply. Like other Linux-based SDR systems we’ve seen, the LimeSDR uses an FPGA to help orchestrate wireless communications that can be tuned, manipulated, and reconfigured to different wireless standards via software. Read more

Critical Infrastructure Goes Open Source

The electrical grid, water, roads and bridges—the infrastructure we take for granted—is seldom noticed until it's unavailable. The burgeoning open source software movement is taking steps to help rebuild crumbling U.S. civil infrastructure while capitalizing on expansion in emerging markets by providing software building blocks to help develop interoperable and secure transportation, electric power, oil and gas as well as the healthcare infrastructure. Under a program launched in April called the Civil Infrastructure Platform, the Linux Foundation said the initiative would provide "an open source base layer of industrial grade software to enable the use and implementation of software building blocks for civil infrastructure." Read more

Where have all the MacBooks gone at Linux conferences?

In past years, the vast ocean of Apple logos really undercut any statement of “Linux is great.” People would, inevitably, retort with, “Then why are all the 'Linux People' using Macs?” Admittedly, that was a great point and has been a source of shame for many of us for a very long time. But now things are different. The Apple logos are (mostly) gone from Linux conferences. This may be an unscientific observation from one person attending a few conferences in North America. Regardless, it's a great feeling. Read more

Leftovers: Ubuntu

  • Ubuntu 16.04 to-do list
    UBUNTU 16.04 or Xenial Xerus, the latest upgrade of the popular Linux distribution, became available as a free download last month, and early reviews have been favorable. Instead of upgrading my existing Ubuntu 15.10 system, this time I opted for a fresh install. I also decided to give the improved Unity 7 desktop a go, instead of installing my preferred alternative XFCE. The installation process was trouble-free, but because I started from scratch, I had quite a bit to add and tweak after the OS itself was installed.
  • Ubuntu Founder Pledges No Back Doors in Linux
    VIDEO: Mark Shuttleworth, founder of Canonical and Ubuntu, discusses what might be coming in Ubuntu 16.10 later this year and why security is something he will never compromise. Ubuntu developers are gathering this week for the Ubuntu Online Summit (UOS), which runs from May 3-5, to discuss development plans for the upcoming Ubuntu 16.10 Linux distribution release, code-named "Yakkety Yak."
  • Ubuntu & Other Ubuntu Spins Look At Making Room To Grow
    With Ubuntu's install images continuing to be oversized with pushing 1.4GB on recent releases, Ubuntu developer Steve Langasek has raised the new limit for Ubuntu desktop images to 2GB. Other Ubuntu flavors are also following in this move. Langasek has raised the size limit for images now to 2GB for being able to accomodate the current oversized images plus still having room to grow.
  • Ubuntu’s Snap packages aren’t yet as secure as Canonical’s marketing claims
    Canonical has been talking up Snaps, a new type of package format featured in Ubuntu 16.04 LTS. “Users can install a snap without having to worry whether it will have an impact on their other apps or their system,” reads Canonical’s announcement. But this isn’t true, as prominent free software developer Matthew Garrett recently pointed out.