Language Selection

English French German Italian Portuguese Spanish

Debian addresses security concerns

Filed under
Linux

The organization's security team has issued a host of announcements and informed the community it has resolved problems with the infrastructure governing security updates.

"There were several issues with the security infrastructure after the release of Sarge [aka Debian 3.1] that led to the Debian security team being unable to issue updates to vulnerable packages. These issues have been fully resolved, and the infrastructure is working correctly again," it said in a statement issued this afternoon.

Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures.

It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said in an e-mail to developers. He admitted the organisation had been "sluggish" in the area recently and said the focus would now be on ensuring Debian was not plagued with such problems again.

He said an inquiry -- to be conducted by developer Andreas Barth -- would allow the organisation to attack weak points.

"One thing I'd like to see is better documentation of the internal workings of the security update process," he wrote. "With a broader understanding of the security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful."

Robinson said he expects to spend a lot of time talking about the security issue to Debian developers and representatives of the user community at the upcoming sixth annual Debian developer conference on July 10 in Helsinki, Finland.

"Many people have stepped forward in public or in private to offer us assistance with ensuring that this problem does not recur," he said, "and that Debian upholds its valuable reputation as a consistent provider of timely security updates to its users."

"I regret the interruption of this service, but with so many people determined to apply their skills to this facet of our responsibilities, I'm confident that we can prevent its recurrence."

Robinson said after "extensive conversations with many people", he suspected two factors were at the heart of Debian's security woes.

Firstly, he said the security team had not been given enough manpower to deal with the demands being placed on it. In addition, there was a failure in the process of actually distributing security updates that were ready to go out.

In the statement issued this afternoon, Debian warned users against installing packages from the "sarge-proposed-updates" suite, as some Web sites had been advocating as a temporary fix before official updates became available.

"Those packages are currently under development and may not work properly," the statement said. "In addition, those packages may not provide users with timely security fixes."

By Renai LeMay
ZDNet Australia

More in Tux Machines

LibreOffice Ported To 64-bit ARM (AArch64)

As more and more open-source programs get brought up for 64-bit ARM, LibreOffice is the latest to receive such AArch64 enablement. As of today in LibreOffice Git is the initial AArch64 support. Over one thousand new lines of code were added to LibreOffice by Red Hat's Stephan Bergmann for allowing the open-source office suite to build on the ARMv8 64-bit architecture. LibreOffice already runs on many CPU architectures from x86 to Alpha and SPARC with ARM64 just being the latest. Read more

SUSE's Flavio Castelli on Docker's Rise Among Linux Distros

Docker has only gained traction since its launch a little over a year ago as more companies join the community's efforts on a regular basis. On July 30, the first official Docker build for openSUSE was released, making this distribution the latest among many to join the fray. I connected with Flavio Castelli, a senior software engineer at SUSE, who works extensively on SUSE Linux Enterprise and has played a major role in bringing official Docker support to openSUSE. In this interview, he discuses the importance of bringing Docker to each Linux distribution, the future of Docker on SUSE Linux Enterprise, and other interesting developments in the Docker ecosystem. Read more

A New AMD Catalyst Linux Driver Unofficially Surfaces

A German web-site is hosting a yet to be officially released Catalyst Linux driver. As pointed out in our forums there is a new Catalyst Linux driver version that's being hosted by Computerbase.de. This driver is marked Catalyst 14.201.1008 and was uploaded today for Linux along with Windows. While this driver should work for any supported hardware (Radeon HD 5000 series and newer), it's labeled amd-catalyst-desktop-apu-linux-x86-x86-64-14.201.1008.zip. The driver version number is higher than the previous publicly released Catalyst Linux build available from AMD's web-site. Read more

The Fastest NVIDIA GPUs For Open-Source Nouveau With Steam Linux Gaming

In this article the NVIDIA hardware is being benchmarked to a similar stack from earlier this week with Ubuntu 14.04 LTS and then upgrading to the Linux 3.17 Git kernel and employing the Oibaf PPA for the upgraded xf86-video-nouveaui DDX and Mesa/Gallium3D drivers. Compared to the Radeon tests, the Nouveau driver was bumped slightly ahead to address a Nouveau driver problem that otherwise was a show-stopper. So even though it shows Mesa 10.3-devel vs. Mesa 10.4-devel, it's just a few days difference of Mesa Git due to the recent branching of Mesa 10.3. The rest of the stack was maintained the same for this Nouveau Linux gaming tests. The tested NVIDIA hardware included both old and new graphics processors: Read more