Language Selection

English French German Italian Portuguese Spanish

Debian addresses security concerns

Filed under

The organization's security team has issued a host of announcements and informed the community it has resolved problems with the infrastructure governing security updates.

"There were several issues with the security infrastructure after the release of Sarge [aka Debian 3.1] that led to the Debian security team being unable to issue updates to vulnerable packages. These issues have been fully resolved, and the infrastructure is working correctly again," it said in a statement issued this afternoon.

Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures.

It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said in an e-mail to developers. He admitted the organisation had been "sluggish" in the area recently and said the focus would now be on ensuring Debian was not plagued with such problems again.

He said an inquiry -- to be conducted by developer Andreas Barth -- would allow the organisation to attack weak points.

"One thing I'd like to see is better documentation of the internal workings of the security update process," he wrote. "With a broader understanding of the security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful."

Robinson said he expects to spend a lot of time talking about the security issue to Debian developers and representatives of the user community at the upcoming sixth annual Debian developer conference on July 10 in Helsinki, Finland.

"Many people have stepped forward in public or in private to offer us assistance with ensuring that this problem does not recur," he said, "and that Debian upholds its valuable reputation as a consistent provider of timely security updates to its users."

"I regret the interruption of this service, but with so many people determined to apply their skills to this facet of our responsibilities, I'm confident that we can prevent its recurrence."

Robinson said after "extensive conversations with many people", he suspected two factors were at the heart of Debian's security woes.

Firstly, he said the security team had not been given enough manpower to deal with the demands being placed on it. In addition, there was a failure in the process of actually distributing security updates that were ready to go out.

In the statement issued this afternoon, Debian warned users against installing packages from the "sarge-proposed-updates" suite, as some Web sites had been advocating as a temporary fix before official updates became available.

"Those packages are currently under development and may not work properly," the statement said. "In addition, those packages may not provide users with timely security fixes."

By Renai LeMay
ZDNet Australia

More in Tux Machines

today's howtos

Games Chronicon, BROKE PROTOCOL, Internet Archive

  • 2D action RPG 'Chronicon' to arrive on Linux with the next big update
    The colourful action RPG Chronicon [Steam, Official Site] should arrive on Linux with the next big update, the developer has said.
  • BROKE PROTOCOL is like a low-poly GTA Online and it's coming to Linux
    BROKE PROTOCOL [Steam], a low-poly open-world action game that's a little like GTA Online and it's coming to Linux.
  • The Internet Archive Just Uploaded a Bunch of Playable, Classic Handheld Games
    The non-profit Internet Archive is perhaps best known for its Wayback Machine that takes snap shots of web sites so you can see what they looked like in the past. However, it also has a robust side project where it emulates and uploads old, outdated games that aren’t being maintained anymore. Recently, the organization added a slew of a unique kind of game that’s passed into memory: handheld LCD electronic games. The games–like Mortal Kombat, depicted above–used special LCD screens with preset patterns. They could only display the exact images in the exact place that they were specified for. This meant the graphics were incredibly limited and each unit could only play the one game it was designed to play. A Game Boy, this was not.
  • Internet Archive emulator brings dozens of handheld games back from obscurity
    Over the weekend, the Internet Archive announced it was offering a new series of emulators. This time, they’re designed to mimic one of gaming’s most obscure artifacts — handheld games. When I say a “handheld game,” I don’t mean the Game Boy or the PSP — those are handheld consoles. These are single-game handheld or tabletop devices that look and feel more like toys. The collection includes the very old, mostly-forgotten games sold in mini-handhelds from the 80s onward.

Linux Foundation Videos and Projects

LibrePlanet free software conference celebrates 10th anniversary, this weekend at MIT, March 24-25

This weekend, the Free Software Foundation (FSF) and the Student Information Processing Board (SIPB) at the Massachusetts Institute of Technology (MIT) present the tenth annual LibrePlanet free software conference in Cambridge, March 24-25, 2018, at MIT. LibrePlanet is an annual conference for people who care about their digital freedoms, bringing together software developers, policy experts, activists, and computer users to learn skills, share accomplishments, and tackle challenges facing the free software movement. LibrePlanet 2018 will feature sessions for all ages and experience levels. LibrePlanet's tenth anniversary theme is "Freedom Embedded." Embedded systems are everywhere, in cars, digital watches, traffic lights, and even within our bodies. We've come to expect that proprietary software's sinister aspects are embedded in software, digital devices, and our lives, too: we expect that our phones monitor our activity and share that data with big companies, that governments enforce digital restrictions management (DRM), and that even our activity on social Web sites is out of our control. This year's talks and workshops will explore how to defend user freedom in a society reliant on embedded systems. Read more Also: FSF Blogs: Friday Free Software Directory IRC meetup time: March 23rd starting at 12:00 p.m. EDT/16:00 UTC