Debian Security and some comparisons
Tuesday, July 5th, 2005Debian is having serious problems with its core security infraestructure. The main issue being that there is just one (overworked) Martin “Joey” Schulze in charge of the security updates, and the rest of the security team is, well, busy. It is even said that one of the security team members is working in Ubuntu, which is perfectly ok since he is getting paid.
This is a very complex problem. First we have the Debian Organization. It has a large amount of developers and maintainers, and the process to be accepted as a new developer is both long and demanding. Now this has an advantage and a disadvantage: it is good because the process to become a developer somehow guarantees that the new maintainer will be both skilled and with knowledge about what debian, the policy and free software are. The problem is that this acceptance process is, sometimes, incredibly long. Take Ian Murdock as an example. He is the creator of Debian, even the name Debian means Deb (Ian’s wife) and Ian. Ian Murdock applied as a new maintainer more than a year ago, and he is still waiting for aproval. And he will probably wait for another year. This is somewhat discouraging for potential new developers (it was discouraging for me at least when I flirted with the idea of applying) and will become more problematic now that important core debian developers have been hired by Canonical to work on Ubuntu.