Debian Weekly News - email
From: Anthony Towns <firstname.lastname@example.org> Date: Wed, 26 Jul 2000 10:44:09 +1000 To: email@example.com Subject: Test Cycle Three Begins Test Cycle Three has officially begun. The archive has been frozen, and no new packages will be installed until the test cycle ends. Since the last test cycle we have new boot-floppies, a new X, and many new packages. Also included are updated release notes: please be sure to check them to avoid any problems some of the changes may cause in your systems. It is hoped and expected that we will not need to make any further changes to packages between this test cycle and declaring potato stable. As such, security fixes for packages in potato will be made available on security.debian.org and announced on the debian-security-announce mailing list, as they are for the stable release. The main focus of testing for this cycle, then, is to ensure the release notes are as complete and as helpful as possible, and to identify issues that should be fixed in future point releases of potato and in the next Debian release, woody. This test cycle will end in two weeks, roughly the 9th of August. At that point, any additional problems will be added to the release notes, and potato will be declared stable. The official announcement of this, and the first non-virtual release party, is expected to take place at the LinuxWorld Conference and Expo. Testing reports should, as always, be sent to the debian-testing list. Subscription information and archives are available from the Debian homepage. For those who are able to test CD installs, images for the first binary CD for each architecture are available at: http://ftp.debian.org/debian-cd/potato_test-cycle-3/ For people doing network based installs, please point Apt or your preferred dselect method at your local mirror. -- Anthony Towns Acting Release Manager
Date: Tue, 25 Jul 2000 15:51:21 -0400 From: Ben Collins <firstname.lastname@example.org> To: email@example.com Subject: Dedication of the Debian 2.2 release This is the first public announcement of this intention. Some may notice two new files in our archive (or on mirrors) and on the new Test Cycle 3 CD's. This is a dedication of this release to a recently daparted member of our Project, Joel Klecker, who died unexpectedly at age 21. The dedication can be found (and is attached here for completeness) at: http://ftp.debian.org/doc/dedication-2.2.txt You will also find a file with it called dedication-2.2.sigs.tar.gz, which contains close to 200 PGP signatures from our Developers for the dedication.txt. Joel's death was the result of a life long battle with Duchenne Muscular Dystrophy. Information for donations to the Muscular Dystrophy Association can be found here and will be greatly appreciated (please make donations in Joel's name, if you so desire): http://mdausa.org/donate/index.html Sincerely, Ben Collins
From: Joey Hess <firstname.lastname@example.org> Date: Tue, 25 Jul 2000 17:05:37 -0700 To: Kurt Seifried <email@example.com> Cc: firstname.lastname@example.org Subject: Linux Distribution Security Report -- disappointing In <http://www.securityportal.com/cover/coverstory20000724.html>, you state: > I have not fully covered Slackware and Debian, with their ridiculously >slow release schedules. I'm very disappointed on two levels: First that you provide such a comprehensive and useful report and yes omit one of the more popular linux distributions, and second that you have made such an erroneous assumption about Debian's release methodology. Your main mistake is that you have failed to realize that Debian releases timely security fixes, which are distributed to Debian users via the internet. Users can choose to configure their systems to receive these updates. This makes release intervals orthogonal to whether users receive security fixes. Moreover, Debian has _frequent_ minor releases. These releases consist mostly of security fixes, and they serve to get the security fixes out to fresh Debian installs, plus to anyone who installs from CD and does not set up their system to receive security fixes via the net. You may have missed these releases, since in Debian, "2.1" is a new major release (with an implied "r1"), while "2.1r2" is the first minor release -- an unusual nomenclature compared to the other distributions. Interestingly, minor releases of Debian 2.1 have occurred more frequently than minor releases of Red Hat 6 (which, as you note, "shoves a new version out the door every 6 months like clockwork"). Debian Red Hat 2.1 8 days 2.1r2 167 days 2.1r3 6.0 104 days 161 days 2.1r4 6.1 117 days 175 days 2.1r5 6.2 [ Interestingly, a poster on slashdot has numbers that show that the other distribution you left out (Slackware) also releases just as frequently as Red Hat. ] In light of these problems, I think it would be quite beneficial if you added Debian to your paper. Security announcement since 1998 are archived in both the archives of the debian-security-announce mailing list, and on http://security.debian.org/ (which also includes advisories from 1997). So, I dug up some numbers (I read the changelog pointed to by footnote 2, and counted security fixes. This is probably not as accurate as your numbers.) Release Security Advisories 2.1 1 2.1r2 16 2.1r3 19 2.1r4 5 2.1r5 Moving on to the second part of your paper, specific incidents and how quickly distributions responded, I've looked up some data on Debian's responses. Local root exploit in kernel <2.2.15, announced on June 8th. On June 12th, Debian announced it had fixed the hole *before* the exploit was announced, and thus was not vulnerable. fdmount, announced May 22. Debian has never installed it suid, and thus has never been vulnerable (as you noted -- thanks). By the way, I think this section of your paper looked at too few holes to draw any real conclusions from. But Debian seems to have been near the head of the pack in this limited sampling. In closing, I'd like to point out that the current 1 and a half 5 year -- not 2 year as you continually state -- gap between Debian 2.1 and 2.2 is so far an exception, and not -- as you continually imply -- a rule. Major Debian releases: 1.1 6 months 1.2 7 months 1.3 12 months 2.0 8 months 2.1 (19 months?) 2.2 -- see shy jo, fond of lies, damn lies, and statistics  (For instructions to configure a Debian system to receive such fixes, see for example, http://security.debian.org/, in the 5th paragraph.)  This information from http://ftp.debian.org/debian/dists/stable/Debian2.1r5  https://www.debian.org/Lists-Archives/debian-security-announce-98/threads.html https://www.debian.org/Lists-Archives/debian-security-announce-99/threads.html https://www.debian.org/Lists-Archives/debian-security-announce-00/threads.html  https://www.debian.org/security/2000/20000612  http://slashdot.org/comments.pl?sid=00/07/25/1444233&cid=141  I'm not going to argue this in detail, but just see how people reacted to your ommissions on slashdot. Debian has a rather large mindshare, though its market share is less quantifiable. http://slashdot.org/article.pl?sid=00/07/25/1444233&mode=nested
To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.
Back issues of this newsletter are available.
This issue of Debian Weekly News was edited by Joey Hess.