Debian Weekly News - email

From: Anthony Towns <aj@azure.humbug.org.au>
Date: Wed, 26 Jul 2000 10:44:09 +1000
To: debian-release@lists.debian.org
Subject: Test Cycle Three Begins

Test Cycle Three has officially begun.


The archive has been frozen, and no new packages will be installed until
the test cycle ends. Since the last test cycle we have new boot-floppies,
a new X, and many new packages. Also included are updated release notes:
please be sure to check them to avoid any problems some of the changes
may cause in your systems.

It is hoped and expected that we will not need to make any further
changes to packages between this test cycle and declaring potato stable.
As such, security fixes for packages in potato will be made available
on security.debian.org and announced on the debian-security-announce
mailing list, as they are for the stable release.

The main focus of testing for this cycle, then, is to ensure the release
notes are as complete and as helpful as possible, and to identify issues
that should be fixed in future point releases of potato and in the next
Debian release, woody.


This test cycle will end in two weeks, roughly the 9th of August. At
that point, any additional problems will be added to the release notes,
and potato will be declared stable. The official announcement of this,
and the first non-virtual release party, is expected to take place at
the LinuxWorld Conference and Expo.

Testing reports should, as always, be sent to the debian-testing list.
Subscription information and archives are available from the Debian
homepage.

For those who are able to test CD installs, images for the first binary
CD for each architecture are available at:

        http://ftp.debian.org/debian-cd/potato_test-cycle-3/

For people doing network based installs, please point Apt or your
preferred dselect method at your local mirror.

--
Anthony Towns
Acting Release Manager

Date: Tue, 25 Jul 2000 15:51:21 -0400
From: Ben Collins <bcollins@debian.org>
To: debian-announce@lists.debian.org
Subject: Dedication of the Debian 2.2 release

This is the first public announcement of this intention. Some may notice
two new files in our archive (or on mirrors) and on the new Test Cycle 3
CD's. This is a dedication of this release to a recently daparted member
of our Project, Joel Klecker, who died unexpectedly at age 21.

The dedication can be found (and is attached here for completeness) at:

	http://ftp.debian.org/doc/dedication-2.2.txt

You will also find a file with it called dedication-2.2.sigs.tar.gz, which
contains close to 200 PGP signatures from our Developers for the
dedication.txt.

Joel's death was the result of a life long battle with Duchenne Muscular
Dystrophy. Information for donations to the Muscular Dystrophy Association
can be found here and will be greatly appreciated (please make donations
in Joel's name, if you so desire):

	http://mdausa.org/donate/index.html

Sincerely,
  Ben Collins

From: Joey Hess <joeyh@debian.org>
Date: Tue, 25 Jul 2000 17:05:37 -0700
To: Kurt Seifried <seifried@securityportal.com>
Cc: debian-devel@lists.debian.org
Subject: Linux Distribution Security Report -- disappointing

In <http://www.securityportal.com/cover/coverstory20000724.html>, you
state:
> I have not fully covered Slackware and Debian, with their ridiculously
>slow release schedules.

I'm very disappointed on two levels: First that you provide such a
comprehensive and useful report and yes omit one of the more popular linux
distributions[6], and second that you have made such an erroneous assumption
about Debian's release methodology.

Your main mistake is that you have failed to realize that Debian
releases timely security fixes, which are distributed to Debian users
via the internet. Users can choose to configure their systems to receive
these updates[1]. This makes release intervals orthogonal to whether users
receive security fixes.

Moreover, Debian has _frequent_ minor releases. These releases consist
mostly of security fixes, and they serve to get the security fixes out
to fresh Debian installs, plus to anyone who installs from CD and does
not set up their system to receive security fixes via the net. You may
have missed these releases, since in Debian, "2.1" is a new major
release (with an implied "r1"), while "2.1r2" is the first minor release
-- an unusual nomenclature compared to the other distributions.

Interestingly, minor releases of Debian 2.1 have occurred more frequently
than minor releases of Red Hat 6 (which, as you note, "shoves a new version
out the door every 6 months like clockwork").

Debian				Red Hat
2.1
	8 days
2.1r2
	167 days
2.1r3				6.0
	104 days			161 days
2.1r4				6.1
	117 days			175 days
2.1r5				6.2

[ Interestingly, a poster on slashdot has numbers[5] that show that
  the other distribution you left out (Slackware) also releases just as
  frequently as Red Hat. ]

In light of these problems, I think it would be quite beneficial if you
added Debian to your paper. Security announcement since 1998 are
archived in both the archives of the debian-security-announce mailing
list[3], and on http://security.debian.org/ (which also includes
advisories from 1997). So, I dug up some numbers (I read the changelog
pointed to by footnote 2, and counted security fixes. This is probably
not as accurate as your numbers.)

Release		Security Advisories
2.1		1
2.1r2		16
2.1r3		19
2.1r4		5
2.1r5

Moving on to the second part of your paper, specific incidents and how
quickly distributions responded, I've looked up some data on Debian's
responses.

Local root exploit in kernel <2.2.15, announced on June 8th.
	On June 12th, Debian announced[4] it had fixed the hole *before*
	the exploit was announced, and thus was not vulnerable.

fdmount, announced May 22.
	Debian has never installed it suid, and thus has never been
	vulnerable (as you noted -- thanks).

By the way, I think this section of your paper looked at too few holes to
draw any real conclusions from. But Debian seems to have been near the
head of the pack in this limited sampling.

In closing, I'd like to point out that the current 1 and a half 5 year --
not 2 year as you continually state -- gap between Debian 2.1 and 2.2 is
so far an exception, and not -- as you continually imply -- a rule. Major
Debian releases:

1.1
	6 months
1.2
	7 months
1.3
	12 months
2.0
	8 months
2.1
	(19 months?)
2.2

--
see shy jo, fond of lies, damn lies, and statistics

[1] (For instructions to configure a Debian system to receive such fixes,
    see for example, http://security.debian.org/, in the 5th paragraph.)
[2] This information from http://ftp.debian.org/debian/dists/stable/Debian2.1r5
[3] http://www.debian.org/Lists-Archives/debian-security-announce-98/threads.html
    http://www.debian.org/Lists-Archives/debian-security-announce-99/threads.html
    http://www.debian.org/Lists-Archives/debian-security-announce-00/threads.html
[4] http://www.debian.org/security/2000/20000612
[5] http://slashdot.org/comments.pl?sid=00/07/25/1444233&cid=141
[6] I'm not going to argue this in detail, but just see how people reacted to
    your ommissions on slashdot. Debian has a rather large mindshare, though
    its market share is less quantifiable.
    http://slashdot.org/article.pl?sid=00/07/25/1444233&mode=nested

To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.

Back issues of this newsletter are available.

This issue of Debian Weekly News was edited by Joey Hess.