Language Selection

English French German Italian Portuguese Spanish

Debian addresses security concerns

Filed under
Linux

The organization's security team has issued a host of announcements and informed the community it has resolved problems with the infrastructure governing security updates.

"There were several issues with the security infrastructure after the release of Sarge [aka Debian 3.1] that led to the Debian security team being unable to issue updates to vulnerable packages. These issues have been fully resolved, and the infrastructure is working correctly again," it said in a statement issued this afternoon.

Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures.

It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said in an e-mail to developers. He admitted the organisation had been "sluggish" in the area recently and said the focus would now be on ensuring Debian was not plagued with such problems again.

He said an inquiry -- to be conducted by developer Andreas Barth -- would allow the organisation to attack weak points.

"One thing I'd like to see is better documentation of the internal workings of the security update process," he wrote. "With a broader understanding of the security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful."

Robinson said he expects to spend a lot of time talking about the security issue to Debian developers and representatives of the user community at the upcoming sixth annual Debian developer conference on July 10 in Helsinki, Finland.

"Many people have stepped forward in public or in private to offer us assistance with ensuring that this problem does not recur," he said, "and that Debian upholds its valuable reputation as a consistent provider of timely security updates to its users."

"I regret the interruption of this service, but with so many people determined to apply their skills to this facet of our responsibilities, I'm confident that we can prevent its recurrence."

Robinson said after "extensive conversations with many people", he suspected two factors were at the heart of Debian's security woes.

Firstly, he said the security team had not been given enough manpower to deal with the demands being placed on it. In addition, there was a failure in the process of actually distributing security updates that were ready to go out.

In the statement issued this afternoon, Debian warned users against installing packages from the "sarge-proposed-updates" suite, as some Web sites had been advocating as a temporary fix before official updates became available.

"Those packages are currently under development and may not work properly," the statement said. "In addition, those packages may not provide users with timely security fixes."

By Renai LeMay
ZDNet Australia

More in Tux Machines

AMD Catalyst 14.9 Linux Driver Is Out, Release Disappoints, as Usual

The AMD developers have announced that a new Catalyst 14.9 Linux driver is now out and that it brings support for a couple of new operating systems and a few bug fixes. New AMD Linux drivers don't arrive as often as the community wants or needs them and the company doesn't have the best track record in the open source world. As it stands right now, there are two kinds of drivers available to Linux users, one that's open source and another one that's proprietary. Catalyst 14.9 is made by AMD and provides better functionality than the open source one, but it doesn't get updated too often. Read more

Calibre for Linux Review – The Best App for Anything Related to eBooks

Calibre is the premiere application on the Linux platform to convert, edit, view, and download eBooks. It has so many features it would be difficult just to count them all, but it's time to take a closer look at this app and see what changed in the years that passed since our last review. Read more

Operating System U Fails To Live Up To Its Goals

After launching last month on Kickstarter, the project has turned into a failure and all development has ceased. Operating System U by Andrew Bernstein only raised $1,948 of its $50,000 goal over the month-long period for the OS that claimed numerous advantages over Ubuntu and Windows 8. Andrew then posted, "Unfortunately OS U was unsuccessful. I truly, truly appreciate everyone who backed us, but unfortunately since we where unsuccessful, combined with other circumstances, OS U will not have any more continued development." Read more

Calculate Intro, OpenMandriva Review, and Mageia Delay

Today in Linux news Jessie Smith has a nice article on Gentoo-derivative Calculate Linux 14 in this week's Distrowatch Weekly. Linuxbsdos.com has a review of OpenMandriva Lx 2014.1, released last week. Mageia 5 Beta 1 is delayed and openSUSE 11.4 is "truly, finally dead." We have all this and more in tonight's Linux news recap. Read more