Home > Debian > Security An Ongoing Problem For Debian Security An Ongoing Problem For Debian Submitted by John 2005-07-05 Debian 19 Comments Debian is facing difficulties getting timely security updates to users of its Linux distribution due to lack of manpower and hardware problems. About The Author David Adams Follow me on Twitter @david_adams 19 Comments 2005-07-05 1:59 pm I think part of the problem is that Debian supports god knows how many packages (don’t say 13000, cause a lot of those are “dummy packages” if you actually look) on so many different architectures. Ubuntu has less resources than Debian and yet they aren’t having any problems releasing security updates. 2005-07-05 2:02 pm Canonical hired some of the developers and put them on the fork called Ubuntu. Do you expect the same process to work for Debian?. I wouldnt. Part of the problem is their architecture and package diversity. agreed on that but more importantly the security process and people managing it is very closed 2005-07-05 2:43 pm Yeah, Canonical hired 40 developers. I doubt those 40 developers code more than the 1000 volunteer Debian developers. 2005-07-05 3:04 pm And what do you think, who does more job: 1000 volunteers, or 40 paid workers ? And, which job is easier, develop and maintain packages, or take them already made by others and do only the maintaining and sec. update ? I could go on, but hopefully you get the point. I for one, as a yo long time Debian user value really much the work done by the Debian developer crowd. I don’t rely on bad-news spreading articles which are more than a few really and pop up eventually from time to time. I believe my eyes and my experience with Debian versions through many years of usage. And I’m not complaining. Far from it. 2005-07-05 3:16 pm Ubuntu has less resources than Debian and yet they aren’t having any problems releasing security updates. Ubuntu has longstanding unfixed security issues too: https://bugzilla.ubuntu.com/show_bug.cgi?id=4679 https://bugzilla.ubuntu.com/show_bug.cgi?id=9926 2005-07-05 3:17 pm Of those 40 developers no more than 10 work on Ubuntu. Remember, Canonical also does propritary software like their launchpad (malone, rosetta, etc.). 2005-07-05 5:19 pm “Ubuntu > Debian. It’s called evolution. Only the strong survive. Bye Debian.” do you think Ubuntu will even survive without Debian. This is precisely the attitude from the Ubuntu people that is very dangerous. Lack of gratitude 2005-07-05 5:58 pm lol, good luck with it, but without Debian, Ubuntu will happily disappear in oblivion 2005-07-05 6:05 pm Total Package Names : 20687 (993k) Normal Packages: 16230 Pure Virtual Packages: 502 Single Virtual Packages: 808 Mixed Virtual Packages: 171 Missing: 2976 2005-07-05 6:13 pm Well, I guess I will switch my server to OpenBSD, Debian is losing some of it’s earned credibility. I’m not talking about the actual quality of the distribuiton but lately things aren’t going too well. It took forever to release a new stable release and moreover they are having problems with their security updates. Since these security updates were seen as a major point in favor of using debian in servers I think this may have an impact. Howhever I don’t think ubuntu is going to fill the void in this matter, no one (well, some do) uses Sarge in a desktop installation. Most people are using Etch or even Sid, and those are the people Ubuntu appeals most to. Debian must lose some weight and gain some focus. 2005-07-05 6:15 pm I’m not saying I am jumping ship just because of this, I had OpenBSD on my mind for a long time. This just makes me switch earlier. 2005-07-05 6:41 pm The problem with Debian is that it supports too many architectures. Yes, I know portabiltity is a great thing, but this is precisely what contributes to Debian’s current lack of security. Let other forks take care of the porting, Debian should focus on more specific architectures in order not to lose their popularity, if that’s what they want. 2005-07-05 6:57 pm “Well, I guess I will switch my server to OpenBSD” OpenBSD itself only maintains a tiny amount of software. As soon as you need to install anything from the ports/packages collection (if you want an up-to-date version of Apache, say – see http://marc.theaimsgroup.com/?l=openbsd-misc&m=108653020220858&w=2 for an overview of the licensing issues that caused the OpenBSD team to drop it) you’ll be installing stuff that has nothing like as good a reputation in the security arena. From http://www.openbsd.org/ports.html: “The ports & packages collection does NOT go through the thorough security audit that OpenBSD follows. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security.” So, don’t just jump ship based on your evaluation of the security track record of the OpenBSD project itself. (Except in the unlikely event that they really do provide all the software you’ll ever need themselves, in which case, lucky you). The ports/packages system has no security team whatsoever; security concerns, as with all other aspects of maintenance, are the purview of each individual port/package maintainer. And, unlike Debian Stable, they aim to track the latest upstream versions. Debian Unstable/Sid is probably the fairest basis for comparison. 2005-07-05 7:03 pm “The problem with Debian is that it supports too many architectures. Yes, I know portabiltity is a great thing, but this is precisely what contributes to Debian’s current lack of security.” This is not true. Architecture-specific problems are not being treated as blockers with regards to releasing the security advisories for the *other* architectures. See e.g. Michael Stone’s recent post @ http://lists.debian.org/debian-release/2005/07/msg00010.html – “I’ve already released two DSA’s without arm, and have 3 more pending.” 2005-07-05 7:12 pm Debian mantains also a FreeBSD port of debian GNU/kFreeBSD is a GNU system on top of the FreeBSD kernel. And it has glibc (not FreeBSD libc) I think FreeBSD is a more secure, fast and stable choice than Linux I’m going to use FreeBSD on my servers (if I will have some… ) 2005-07-05 10:10 pm Ubuntu only provides security updates for “main” repository, universe where the bulk of the packages lie is not supported or patched for security updateds so the amount of packages that need security are much more in debian. 2005-07-05 10:46 pm i think the problem is MANPOWER above all else… i think it said seven but if you tracked the discussion then you know that like 4 of those are mostly inactive and two are secretaries (who dont have the authority to push updates) so everything has been falling on joey! and joey only has so many hours in the day…. plus the very nature of a security team means thata lot of stuff is “secret” and most people dont know or hear anything about it… But from what I read, a lot of this has been blown out of proportion and some things are in place to correct the situation and more are slowly getting there…. face it, sarge is a kludge, debian has growing pains, things had to get worse before they got better, ok! we are over that spot and are moving on….. hang in there for the NEW AND IMPROVED debian 2005-07-06 12:15 am Debian is old faithful… The gold standard that all debian based distros are compared against anyway, i love debian (it’s not my favorate, but i’m not gonna get into that) and i think it has come a long way and will continue to progress 2005-07-06 6:47 am do you think Ubuntu will even survive without Debian. This is precisely the attitude from the Ubuntu people that is very dangerous. Lack of gratitude I promise this is not hte official line: http://www.ubuntulinux.org/ubuntu/relationship/document_view A Debian fan should know the problem of random zealots creating image problems.