Language Selection

English French German Italian Portuguese Spanish

Debian addresses security concerns

Filed under
Linux

The organization's security team has issued a host of announcements and informed the community it has resolved problems with the infrastructure governing security updates.

"There were several issues with the security infrastructure after the release of Sarge [aka Debian 3.1] that led to the Debian security team being unable to issue updates to vulnerable packages. These issues have been fully resolved, and the infrastructure is working correctly again," it said in a statement issued this afternoon.

Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures.

It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said in an e-mail to developers. He admitted the organisation had been "sluggish" in the area recently and said the focus would now be on ensuring Debian was not plagued with such problems again.

He said an inquiry -- to be conducted by developer Andreas Barth -- would allow the organisation to attack weak points.

"One thing I'd like to see is better documentation of the internal workings of the security update process," he wrote. "With a broader understanding of the security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful."

Robinson said he expects to spend a lot of time talking about the security issue to Debian developers and representatives of the user community at the upcoming sixth annual Debian developer conference on July 10 in Helsinki, Finland.

"Many people have stepped forward in public or in private to offer us assistance with ensuring that this problem does not recur," he said, "and that Debian upholds its valuable reputation as a consistent provider of timely security updates to its users."

"I regret the interruption of this service, but with so many people determined to apply their skills to this facet of our responsibilities, I'm confident that we can prevent its recurrence."

Robinson said after "extensive conversations with many people", he suspected two factors were at the heart of Debian's security woes.

Firstly, he said the security team had not been given enough manpower to deal with the demands being placed on it. In addition, there was a failure in the process of actually distributing security updates that were ready to go out.

In the statement issued this afternoon, Debian warned users against installing packages from the "sarge-proposed-updates" suite, as some Web sites had been advocating as a temporary fix before official updates became available.

"Those packages are currently under development and may not work properly," the statement said. "In addition, those packages may not provide users with timely security fixes."

By Renai LeMay
ZDNet Australia

More in Tux Machines

Porteus Kiosk 4.0 Modular Linux Web Kiosk Released, Drops Chrome 32-bit Support

Porteus Solutions' Tomasz Jokiel announced on May 30, 2016, the release of the final Porteus Kiosk 4.0.0 Web Kiosk operating system based on the latest GNU/Linux technologies and open-source software. Porteus Kiosk 4.0.0 comes three months after the release of the last maintenance build in the Porteus Kiosk 3.x series, introducing numerous new features and improvements. But first, let's take a quick look under the hood, as the OS is now powered by Linux kernel 4.4.11 LTS (Long Term Support), and it's based on the Mozilla Firefox 45.1.1 ESR and Google Chrome 50.0.2661.102 web browsers. Read more

Fresh 10-Way GeForce Linux Benchmarks With The NVIDIA 367.18 Driver

In prepping for our forthcoming GeForce GTX 1070 and GTX 1080 Linux benchmarking, I've been running fresh rounds of benchmarks on my large assortment of GPUs, beginning with the GeForce hardware supported by the NVIDIA 367.18 beta driver. Here are the first of those benchmarks with the ten Maxwell/Kepler GPUs I've tested thus far. Earlier this month I posted the With Pascal Ahead, A 16-Way Recap From NVIDIA's 9800 GTX To Maxwell but in still waiting for my GTX 1070/1080 samples to arrive, I've restarted all of those tests now using the newer 367.18 driver as well as incorporating some extra tests like the recently released F1 2015 for Linux, not having done any SHOC OpenCL tests in a while, etc. Read more

Arch Linux-Based ArchAssault Ethical Hacking Distro Changes Name to ArchStrike

The team over at ArchAssault, a GNU/Linux operating system based on the famous Arch Linux distro and designed for ethical hackers, announced a few minutes ago on their Twitter account that they are changing the OS' name to ArchStrike. Designed from the ground up as a security layer to Arch Linux, the ArchAssault project provides security researchers and hackers with one of the most powerful open source and totally free Linux kernel-based operating system for penetration testing and security auditing operations. Read more

Systemd change has Linux users up in arms

A change in the most recent version of systemd, the init system that has been recently adopted by many GNU/Linux distributions, has users up in arms. The change, announced a few days ago, kills background processes by default when a user logs out, the opposite of the behaviour that was exhibited earlier. This would cause problems for users, for example, of terminal multiplexers like screen and tmux as they would be unable to return to a process once they have logged out. If a server admin had a bunch of scripts that logged into a server, then started a process using screen and logged out, the process would be killed. This is a fairly common thing that many admins do. Read more