*http://distrowatch.com/weekly.php?issue=20050704#2
Sarge update issues*
Debian <http://distrowatch.com/debian> If you have installed the
recently released Debian <http://distrowatch.com/debian> sarge, how many
security advisories have you received during the past four weeks? Up
until late last week the number of sarge-related security advisories
issued by the Debian Security Team was exactly zero. Contrast that to
Fedora Core 4, which, although released one week later than sarge, has
already issued 8 security advisories! So where is the problem? Is the
Debian Security Team on strike?
Well, it turns out that the Debian sarge security infrastructure is
broken and has been broken since the release of sarge. This was first
reported by Heise.de <http://www.heise.de/security/news/meldung/61076>
(in German) and later spread to Da Linux French
<http://linuxfr.org/2005/06/29/19218.html> (in French) before a long
discussion erupted on the debian-security
<http://lists.debian.org/debian-security/2005/06/msg00142.html> mailing
list. Joey Schultze explains in his blog
<http://www.infodrom.org/%7Ejoey/log/?200506142140>: "At the time of the
release, security.debian.org broke, since the suites stable/testing on
the security host did not match the ones on the main archive. In fact,
trying to release a security update before the sarge release resulted in
a crashed katie program and a half-baked archive. ... So, it looks like
we'll be without security updates for quite a while."
This is bad news for those users who have entrusted their servers to the
much awaited new Debian release and are now possibly running several
applications with known vulnerabilities. The good news is that the
above-mentioned instances of "bad publicity" have stirred some action
among the Debian Security Team and, by last weekend, the first two
Debian security advisories were issued. But the problem is complex and
still far from being under control. Martin Krafft explains
<http://lists.debian.org/debian-security/2005/06/msg00149.html>: "In
general, my experience has been that security at debian.org is a black
hole, and that offers to help are ignored. Of course, the Debian
meritocracy calls for us to just do something to rise the ladder
according to our accomplishments, but as with the other obscure domains
of the Debian project, which are not open to anyone to just peek at and
learn, it's really difficult to do this when it means working as a blind
person with a couple of mutes."
It looks like a major upheaval in the security infrastructure of Debian
is needed to ensure that the current situation does not happen again.
But can it be done? Can a rather boring and thankless task of applying
patches are releasing advisories be made more attractive and rewarding?
Not easily. But it must be done - before Debian's reputation is further
tarnished by more sloppy security work.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
VietLUG-users mailing list
VietLUG-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/vietlug-users
