Language Selection

English French German Italian Portuguese Spanish

Debian addresses security concerns

Filed under
Linux

The organization's security team has issued a host of announcements and informed the community it has resolved problems with the infrastructure governing security updates.

"There were several issues with the security infrastructure after the release of Sarge [aka Debian 3.1] that led to the Debian security team being unable to issue updates to vulnerable packages. These issues have been fully resolved, and the infrastructure is working correctly again," it said in a statement issued this afternoon.

Debian's elected leader Branden Robinson yesterday flagged an inquiry into the processes by which security updates are released, citing a potential lack of transparency and communication failures.

It was also an appropriate time to add new members to Debian's security team, as several have been inactive for a while, Robinson said in an e-mail to developers. He admitted the organisation had been "sluggish" in the area recently and said the focus would now be on ensuring Debian was not plagued with such problems again.

He said an inquiry -- to be conducted by developer Andreas Barth -- would allow the organisation to attack weak points.

"One thing I'd like to see is better documentation of the internal workings of the security update process," he wrote. "With a broader understanding of the security workflow, I'm hopeful that people will be less likely to draw erroneous inferences about what the causes of problems are, and more likely to make offers of assistance that prove fruitful."

Robinson said he expects to spend a lot of time talking about the security issue to Debian developers and representatives of the user community at the upcoming sixth annual Debian developer conference on July 10 in Helsinki, Finland.

"Many people have stepped forward in public or in private to offer us assistance with ensuring that this problem does not recur," he said, "and that Debian upholds its valuable reputation as a consistent provider of timely security updates to its users."

"I regret the interruption of this service, but with so many people determined to apply their skills to this facet of our responsibilities, I'm confident that we can prevent its recurrence."

Robinson said after "extensive conversations with many people", he suspected two factors were at the heart of Debian's security woes.

Firstly, he said the security team had not been given enough manpower to deal with the demands being placed on it. In addition, there was a failure in the process of actually distributing security updates that were ready to go out.

In the statement issued this afternoon, Debian warned users against installing packages from the "sarge-proposed-updates" suite, as some Web sites had been advocating as a temporary fix before official updates became available.

"Those packages are currently under development and may not work properly," the statement said. "In addition, those packages may not provide users with timely security fixes."

By Renai LeMay
ZDNet Australia

More in Tux Machines

10 tips for getting the most life out of your Android battery

As Android evolves, so too does the battery life. With every iteration of the platform we enjoy longer time between charges. But that doesn't mean there aren't things you can do to get even more out of that battery. With just a bit of work, you can extend it well beyond what you've been experiencing. Best of all, these tips don't require a degree in Android-ology to put them to work. Read more

Systemd 229 Released With Many Changes, DNS Resolver Now Fully Supported

The last major systemd update was all the way back in November, which is rather strange considering their normal frequent releases, but that changed today with the release of systemd 229. Systemd 229 has been released and given the span since systemd 228, this is a very hearty release. First up, the systemd-resolved DNS resolver is no longer experimental but is now fully-supported and offers a ton of new features, including DNSSEC support. Read more

today's leftovers

  • Free live-booting distro DVD with LU&D #162
    A brand new issue of Linux User & Developer hits the high street and the app stores today – we’ve done something a little different for you this time.
  • Russian government to switch to desktop Linux?
    The Russian government is reported to be contemplating dropping Microsoft Windows and adopting Linux as the operating system for agency PCs according to its internet czar, German Klimenko.
  • The Linux Foundation's big plan to speed up storage, networking
    The Linux Foundation continues to think big. It became a hub for containers by spearheading the Open Container Project and the Cloud Native Computing Foundation, and it has pushed to make APIs self-standardizing. Now, it's kicked off yet another industry-wide open source initiative: the Fast Data Project (Fd.io). The idea of "an I/O services framework for the next wave of network and storage software" (per the Foundation) may not sound as vital as protecting core Internet infrastructure or making it simpler for Web server admins to support HTTPS. But on closer inspection, FD.io is in line with the Foundation's ambitions to nurture the future Web.
  • ownCloud Desktop Client Updated with HiDPI Improvements, Better Syncing
    Today, February 10, 2016, ownCloud Inc. was proud to announce the release and general availability of new versions for its ownCloud Desktop and ownCloud Android clients.
  • LibreOffice 5.1 Released with Boatload of Changes
  • Ubuntu Core Now Supports Intel NUC Mini PC
    Canonical has this week announced that the Ubuntu Core now supports the Intel NUC DE3815TY mini PC after working together with Intel the company has now created a standard platform for developers to test and create x86-based IOT solutions using snappy Ubuntu Core.
  • 6 reasons to blog in Markdown with Jekyll
    GitHub pages is a free offering that can host your Jekyll blog for free. It also takes care of generating static HTML files from your Markdown text files, so there's no need to install anything on your computer. You can also use Jekyll with your own domain name (if you have one).

Education and Open Access

  • UNICEF Seeks World-Changing Open Source Technologies
    United Nations to fund startups to develop open source tech to improve the lives of vulnerable children and civilians
  • UCLA just open-sourced a powerful new image-detection algorithm
    Image recognition has become increasingly critical in applications ranging from smartphones to driverless cars, and on Wednesday UCLA opened up to the public a new algorithm that promises big gains. The Phase Stretch Transform algorithm is a physics-inspired computational approach to processing images and information that can help computers "see" features of objects that aren't visible using standard imaging techniques. It could be used to detect an LED lamp's internal structure, for example -- something that would be obscured to conventional techniques by the brightness of its light. It can also distinguish distant stars that would normally be invisible in astronomical images, UCLA said.
  • Open-source textbooks gain in push for college affordability [Ed: same as below]
  • Open-Source Textbooks Gain in Push for College Affordability
    The standard textbook for Fundamentals of General Chemistry I at the University of Connecticut has a list price of $303. For students who use the version professor Edward Neth is preparing for the fall semester, the cost will be zero. An early adopter of open source textbooks, Neth said he turned to the new technology out of frustration with spiraling prices of commercial textbooks. "It's seeing the costs go up every semester and almost feeling powerless," Neth said.
  • Zika articles made open-source to accelerate research
    Nature, the Lancet and many other medical publishers and researchers have announced that all Zika-related scientific articles will be published freely in the wake of the recent outbreak.