Language Selection

English French German Italian Portuguese Spanish

Debian addresses security concerns

Filed under
Linux

The organization's security team has issued a host of announcements and informed the community it has resolved problems with the infrastructure governing security updates.

"There were several issues with the security infrastructure after the release of Sarge [aka Debian 3.1] that led to the Debian security team being unable to issue updates to vulnerable packages. These issues have been fully resolved, and the infrastructure is working correctly again," it said in a statement issued this afternoon.

Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures.

It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said in an e-mail to developers. He admitted the organisation had been "sluggish" in the area recently and said the focus would now be on ensuring Debian was not plagued with such problems again.

He said an inquiry -- to be conducted by developer Andreas Barth -- would allow the organisation to attack weak points.

"One thing I'd like to see is better documentation of the internal workings of the security update process," he wrote. "With a broader understanding of the security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful."

Robinson said he expects to spend a lot of time talking about the security issue to Debian developers and representatives of the user community at the upcoming sixth annual Debian developer conference on July 10 in Helsinki, Finland.

"Many people have stepped forward in public or in private to offer us assistance with ensuring that this problem does not recur," he said, "and that Debian upholds its valuable reputation as a consistent provider of timely security updates to its users."

"I regret the interruption of this service, but with so many people determined to apply their skills to this facet of our responsibilities, I'm confident that we can prevent its recurrence."

Robinson said after "extensive conversations with many people", he suspected two factors were at the heart of Debian's security woes.

Firstly, he said the security team had not been given enough manpower to deal with the demands being placed on it. In addition, there was a failure in the process of actually distributing security updates that were ready to go out.

In the statement issued this afternoon, Debian warned users against installing packages from the "sarge-proposed-updates" suite, as some Web sites had been advocating as a temporary fix before official updates became available.

"Those packages are currently under development and may not work properly," the statement said. "In addition, those packages may not provide users with timely security fixes."

By Renai LeMay
ZDNet Australia

More in Tux Machines

Bodhi and Enlightenment

  • Bodhi 4.0.0 Distro Enters Development, Alpha Out Now Based on Ubuntu 16.04 LTS
    Bodhi Linux developer Jeff Hoogland was proud to announce recently the release and general availability of the first Alpha milestone towards the Bodhi 4.0.0 operating system. Bodhi 4.0.0 Alpha is right on schedule, according to Mr. Hoogland, and it marks the start of the development cycle of the upcoming GNU/Linux distribution built around the lightweight and modern Moksha desktop environment, a continuation of the Enlightenment 17 window manager.
  • Bodhi Linux 4.0.0 Alpha released
  • Enlightenment 0.20.10 Is the Last in the Series, Users Urged to Upgrade to 0.21
    A new stable version of the Enlightenment 0.20 lightweight and modern desktop environment/window manager has arrived, Enlightenment 0.20.10, which is the last one in the series. Yes, you're reading it right, the development cycle of the Enlightenment 0.20 series has come to an end, and if you're still using this version on your GNU/Linux operating system, you are urged to either upgrade to the Enlightenment 0.20.10 maintenance release or move to the newest stable branch, Enlightenment 0.21.0.

Linux Graphics

  • X.Org Server 1.18.4 Brings over 60 Improvements to GNU/Linux Operating Systems
    A new maintenance update of the X.Org Server 1.18 display server software for GNU/Linux operating systems, version 1.18.4, has arrived with over 60 improvements. As usual, Adam Jackson was the one to make the announcement, and it looks like X.Org Server 1.18.4 comes approximately three and a half months after the release of the previous maintenance version, X.Org Server 1.18.3, promising to add lots of backports from the devel branch, primarily in XWayland, Glamor, and Kernel Mode Setting (KMS). However, looking at the internal changelog, we can notice that X.Org Server 1.18.4 introduces improvements for several other drivers and components, including, but not limited to, XQuartz, RandR, x86emu, XFree86, KDrive, xf86Crtc, EXA, GLX, DIX/PTraccel, XKB, as well as Xi.
  • Igalia's Work On The Intel Mesa Driver The Past Year
  • DRM Text Mode Proposed As Alternative To FBDEV/FBCON
    There's long been talk on killing FBDEV and getting rid of CONFIG_VT with a modern replacement making more use of DRM/KMS drivers, but so far none of those efforts have fully panned out.

Linux Foundation and Linux

  • Telco central offices could be in for open source makeover
    The CORD Summit, hosted by the Open Networking Lab (On.Lab) and The Linux Foundation, promotes the use of technologies such as Network Functions Virtualization (NFV), software-defined networking (SDN) and the cloud "to bring datacenter economics and cloud agility to service providers' Central Office." CORD is kind of an acronym for Central Office Re-architected as a Datacenter, and is designed to benefit enterprise, residential and wireless networks. A mini version of this event was held in March as part of the broader Open Networking Summit.
  • Some of The Other Pull Requests Arriving For Linux 4.8 This Week
    I've already written more than a dozen various bits of information about the Linux 4.8 kernel this week covering the big pull requests / subsystem updates.
  • More Last Minute AMDGPU/Radeon Changes For Linux 4.8
    There already have been the main pull requests for the AMDGPU/Radeon DRM drivers for DRM-Next that in turn will land in Linux 4.8 next week.
  • Linux Kernel 3.14.74 LTS Has Updated Drivers, ARM, MIPS and x86 Improvements
    After informing the community about the availability of the Linux 4.6.5 and Linux 4.4.16 LTS kernel versions for GNU/Linux operating systems, Greg Kroah-Hartman published details about the seventy-fourth maintenance update for Linux 3.14 LTS.

Debian News

  • Contributing with Debian Recommendation System
    Hi, my name is Luciano Prestes, I am participating in the program Google Summer of Code (GSoC), my mentor is Antonio Terceiro, and my co-mentor is Tassia Camoes, both are Debian Developers. The project that I am contributing is the AppRecommender, which is a package recommender for Debian systems, my goal is to add a new strategy of recommendation to AppRecommender, to make it recommend packages after the user installs a new package with 'apt'. At principle AppRecommender has three recommendation strategies, being them, content-based, collaborative and hybrid. To my work on GSoC this text explains two of these strategies, content-based and collaborative. Content-based strategy get the user packages and analyzes yours descriptions to find another Debian packages that they are similar to the user packages, so AppRecommender uses the content of user packages to recommender similar packages to user. The collaborative strategy compare the user packages with the packages of another users, and then recommends packages that users with similar profile have, where a profile of user is your packages. On her work, Tassia Camoes uses the popularity-contest data to compare the users profiles on the collaborative strategy, the popularity-contest is an application that get the users packages into a submission and send to the popularity-contest server and generates statistical data analyzing the users packages.
  • Looking for the artwork for the next Debian release
    Each release of Debian has a shiny new theme, which is visible on the boot screen, the login screen and, most prominently, on the desktop wallpaper. Debian plans to release Stretch next year. As ever, we need your help in creating its theme! You have the opportunity to design a theme that will inspire thousands of people while working in their Debian systems.
  • SteamOS 2.87 Arrives with Support for Nvidia GTX 1080/1070, AMD "Bonaire" GPUs
    Today, July 29, 2016, Valve announced the availability for download of a new stable version of its Debian-based GNU/Linux operating system designed for gaming, SteamOS 2.87. After being in the Beta stages of the development for the past two months, SteamOS 2.87 is now the latest stable and most advanced version of the gaming OS developed by Valve for personal computers and Steam Machines. It comes as a replacement for the previous stable release, SteamOS 2.70, announced back in April 2016. Prominent new features of SteamOS 2.87 include the availability of updated Nvidia and AMD Radeon graphics drivers, version 367.27 and AMDGPU-PRO 16.30 respectively, which now offer support for the recently announced Nvidia GTX 1080 and GTX 1070 GPUs, as well as for the "Bonaire" GPUs.