Language Selection

English French German Italian Portuguese Spanish

Debian addresses security concerns

Filed under

The organization's security team has issued a host of announcements and informed the community it has resolved problems with the infrastructure governing security updates.

"There were several issues with the security infrastructure after the release of Sarge [aka Debian 3.1] that led to the Debian security team being unable to issue updates to vulnerable packages. These issues have been fully resolved, and the infrastructure is working correctly again," it said in a statement issued this afternoon.

Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures.

It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said in an e-mail to developers. He admitted the organisation had been "sluggish" in the area recently and said the focus would now be on ensuring Debian was not plagued with such problems again.

He said an inquiry -- to be conducted by developer Andreas Barth -- would allow the organisation to attack weak points.

"One thing I'd like to see is better documentation of the internal workings of the security update process," he wrote. "With a broader understanding of the security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful."

Robinson said he expects to spend a lot of time talking about the security issue to Debian developers and representatives of the user community at the upcoming sixth annual Debian developer conference on July 10 in Helsinki, Finland.

"Many people have stepped forward in public or in private to offer us assistance with ensuring that this problem does not recur," he said, "and that Debian upholds its valuable reputation as a consistent provider of timely security updates to its users."

"I regret the interruption of this service, but with so many people determined to apply their skills to this facet of our responsibilities, I'm confident that we can prevent its recurrence."

Robinson said after "extensive conversations with many people", he suspected two factors were at the heart of Debian's security woes.

Firstly, he said the security team had not been given enough manpower to deal with the demands being placed on it. In addition, there was a failure in the process of actually distributing security updates that were ready to go out.

In the statement issued this afternoon, Debian warned users against installing packages from the "sarge-proposed-updates" suite, as some Web sites had been advocating as a temporary fix before official updates became available.

"Those packages are currently under development and may not work properly," the statement said. "In addition, those packages may not provide users with timely security fixes."

By Renai LeMay
ZDNet Australia

More in Tux Machines

NVIDIA + Nouveau: "Hopefully More Surprises To Come"

Alexandre Courbot, a developer at NVIDIA who has been working on the Tegra open-source graphics support a lot for Nouveau, presented last week at LinuxCon Europe 2015. Thanks to the work by Courbot and others at NVIDIA, the Tegra K1 with its Kepler GPU has mainline Nouveau graphics support while the open-source graphics enablement for the Tegra X1 with Maxwell GPU continues to be upstreamed. Read more

Moto 360 (2nd gen) review: The Android Wear watch to beat

If you’re looking for a smartwatch that delivers a “next-generation” experience, the 2nd generation Moto 360 isn’t it. In fact, none of the Android Wear watches really move the platform forward in a significant way—perhaps because Google is largely in the driver’s seat for software development. But if you want a smartwatch that delivers a great experience for everything Android Wear can do, this is the one. Numerous hardware refinements and a year of software development have made the new Moto 360 everything the first one should have been. Read more

ONOS project, Linux Foundation form strategic partnership

The ONOS community hopes to expedite the advantages service providers can get from software defined networking (SDN) and network functions virtualization (NFV) by collaborating with the Linux Foundation in a strategic partnership. The partnership will help ON.Lab/ONOS "transform service providers' infrastructure for increased monetization by achieving high capex and opex efficiencies and creating new innovative services using the power of open source SDN and NFV," according to a press release. The Linux Foundation will assist ONOS to "organize, grow and harness the power" of a global community to take ONOS and the solutions enabled by it to the next level of production and readiness. Read more

Geriatric Linux: How an 'old geezer' came to terms with computers

Among the diverse things I found to read about was a relatively new but fast-growing computer operating system called Linux. It sounded fascinating: invented by a college student, developed by volunteers, used mainly by experts but available to amateurs; it appeared to defy not only the conventional business model, but the very concept of commercial software. Read more