Language Selection

English French German Italian Portuguese Spanish

Debian addresses security concerns

Filed under
Linux

The organization's security team has issued a host of announcements and informed the community it has resolved problems with the infrastructure governing security updates.

"There were several issues with the security infrastructure after the release of Sarge [aka Debian 3.1] that led to the Debian security team being unable to issue updates to vulnerable packages. These issues have been fully resolved, and the infrastructure is working correctly again," it said in a statement issued this afternoon.

Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures.

It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said in an e-mail to developers. He admitted the organisation had been "sluggish" in the area recently and said the focus would now be on ensuring Debian was not plagued with such problems again.

He said an inquiry -- to be conducted by developer Andreas Barth -- would allow the organisation to attack weak points.

"One thing I'd like to see is better documentation of the internal workings of the security update process," he wrote. "With a broader understanding of the security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful."

Robinson said he expects to spend a lot of time talking about the security issue to Debian developers and representatives of the user community at the upcoming sixth annual Debian developer conference on July 10 in Helsinki, Finland.

"Many people have stepped forward in public or in private to offer us assistance with ensuring that this problem does not recur," he said, "and that Debian upholds its valuable reputation as a consistent provider of timely security updates to its users."

"I regret the interruption of this service, but with so many people determined to apply their skills to this facet of our responsibilities, I'm confident that we can prevent its recurrence."

Robinson said after "extensive conversations with many people", he suspected two factors were at the heart of Debian's security woes.

Firstly, he said the security team had not been given enough manpower to deal with the demands being placed on it. In addition, there was a failure in the process of actually distributing security updates that were ready to go out.

In the statement issued this afternoon, Debian warned users against installing packages from the "sarge-proposed-updates" suite, as some Web sites had been advocating as a temporary fix before official updates became available.

"Those packages are currently under development and may not work properly," the statement said. "In addition, those packages may not provide users with timely security fixes."

By Renai LeMay
ZDNet Australia

More in Tux Machines

OSS Leftovers

  • Canada’s Spy Agency Releases its Cyber-Defense Tool for Public
  • Canadian govt spooks open source anti-malware analytics tool
    The Communications Security Establishment (CSE) said the AssemblyLine tool is designed to analyse large volumes of files, and can automatically rebalance workloads.
  • Microservices served on blockchain, in open source
    Cloud application marketplace company Wireline is working with open source blockchain project developer Qtum The new union is intended to provide a conduit to consuming microservices at [web] scale using blockchain at the core. As we know, microservices offer the ability to create Application Programming Interfaces (APIs) without having to manage the underlying hardware and software infrastructure. [...] The Qtum a blockchain application platform combines the functions of Bitcoin Core, an account abstraction layer allowing for multiple virtual machines and a proof-of-stake consensus protocol aimed at tackling industry-use cases. The Qtum Foundation, headquartered in Singapore, is the decision-making body that drives the project’s development.
  • Rendering HTML5 video in Servo with GStreamer
    At the Web Engines Hackfest in A Coruña at the beginning of October 2017, I was working on adding some proof-of-concept code to Servo to render HTML5 videos with GStreamer. For the impatient, the results can be seen in this video here
  • Working Intel CET Bits Now Land In GCC8
    A few days back I wrote about Intel's work on Control-flow Enforcement Technology beginning to land in GCC. This "CET" work for future Intel CPUs has now landed in full for GCC 8. The bits wiring up this control-flow instrumentation and enforcement support are now all present in mainline GCC SVN/Git for next year's GCC 8.1 release.
  • Using Gitea and/or Github to host blog comments
    After having moved from FSFE’s wordpress instance I thought long about whether I still want to have comments on the new blog. And how I would be able to do it with a statically generated site. I think I have found/created a pretty good solution that I document below.

Security Leftovers

  • Where Did That Software Come From?
    The article explores how cryptography, especially hashing and code signing, can be use to establish the source and integrity. It examines how source code control systems and automated build systems are a key part of the software provenance story. (Provenance means “a record of ownership of a work of art or an antique, used as a guide to authenticity or quality.” It is increasingly being applied to software.)
  • Judge: MalwareTech is no longer under curfew, GPS monitoring [Updated]
    A judge in Milwaukee has modified the pre-trial release conditions of Marcus Hutchins, also known online as "MalwareTech," who was indicted two months ago on federal criminal charges. Under US Magistrate Judge William Duffin’s Thursday order, Hutchins, who is currently living in Los Angeles, will no longer be subject to a curfew or to GPS monitoring.
  • [Older] Leicester teen tries to hack CIA and FBI chiefs' computers
    A teenager attempted to hack senior US government officials' computers from his home. Kane Gamble, 18, from Coalville, Leicestershire, pleaded guilty to 10 charges relating to computer hacking. His targets included the then CIA director John Brennan and former FBI deputy director Mark Giuliano.

Debian: pk4, Freexian and More

Kernel and Graphics: ZenStates, AMDGPU, RADV, Vulkan, NVIDIA

  • ZenStates Allows Adjusting Zen P-States, Other Tweaking Under Linux
    ZenStates is an independent effort to offer P-States-based overclocking from the Linux desktop of AMD Ryzen processors and other tuning. ZenStates-Linux is an open-source Python script inspired by some available Windows programs for offering Ryzen/Zen CPU overclocking from the desktop by manipulating the performance states of the processor.
  • AMDGPU DC Gets A Final Batch Of Changes Before Linux 4.15
    The AMDGPU DC display code has a final batch of feature updates that were sent in this weekend for DRM-Next staging and is the last set besides fixes for the "DC" code for the 4.15 target.
  • Valve Developer Lands VK_EXT_global_priority For RADV Vulkan Driver
  • Vulkan 1.0.64 Adds In Another AMD-Developed Extension
    Vulkan 1.0.64 is out this weekend as the newest specification refinement to this high-performance graphics/compute API. As usual, most of the changes for this minor Vulkan revision are just documentation clarifications and corrections. This week's update brings just under a dozen fixes.
  • NVIDIA TX2 / Tegra186 Display Support Isn't Ready For Linux 4.15
    While the Jetson TX2 has been out since this past March and it's a phenomenal ARM development board, sadly the Direct Rendering Manager (DRM) driver support for it still isn't ready with the mainline Linux kernel. Thierry Reding of NVIDIA sent in the Tegra DRM driver changes for DRM-Next that in turn is staged for Linux 4.15. Reding commented that there is prepatory work for the TX2 (Tegra186) but it's not all ready for upstream yet.