Debian is having serious problems with its core security infraestructure. The main issue being that there is just one (overworked) Martin “Joey” Schulze in charge of the security updates, and the rest of the security team is, well, busy. It is even said that one of the security team members is working in Ubuntu, which is perfectly ok since he is getting paid.
This is a very complex problem. First we have the Debian Organization. It has a large amount of developers and maintainers, and the process to be accepted as a new developer is both long and demanding. Now this has an advantage and a disadvantage: it is good because the process to become a developer somehow guarantees that the new maintainer will be both skilled and with knowledge about what debian, the policy and free software are. The problem is that this acceptance process is, sometimes, incredibly long. Take Ian Murdock as an example. He is the creator of Debian, even the name Debian means Deb (Ian’s wife) and Ian. Ian Murdock applied as a new maintainer more than a year ago, and he is still waiting for aproval. And he will probably wait for another year. This is somewhat discouraging for potential new developers (it was discouraging for me at least when I flirted with the idea of applying) and will become more problematic now that important core debian developers have been hired by Canonical to work on Ubuntu.
How does this relate with Debian’s security problem? Well, once you become a Debian Developer you can become a member of the security team, but you don’t just ask for it, you must be invited. This is understandable when you talk about security in something that will be used to run in several important Internet servers, but when there is only one guy in charge of the security updates, this becomes a problem, and when this guy suddenly gets too busy to even check his email, you have a very serious problem. Besides, Debian must build binaries for 11 (ELEVEN) diferent architectures. And even then, most of the time the patches must be backported. . All this takes time. (Add to the fact that Debian has more packages than everybody else, by far). Sometimes the maintainers have the new package ready, but they are kept on hold for days because of the security group bottleneck. As you can see, the last few years have been very busy for Martin Schulze: 2002, 2003, and 2004. And this 2005 he has been completly alone for SIX months. The first non-Martin-Schulze announcement of 2005 has been the sudo update by Michael Stone on July 1st.
Just to see how deep this problem goes, I chose 3 random security updates I performed lately in my servers and checked for the date of the announcement of the patches of different vendors/distros/operating systems.
The three packages with recent vulnerabilities I picked were:
- ClamAV, announcement: 2005-06-23
- SpamAssassin, announcement: 2005-06-06
- sudo announcement: 2005-06-19
The operating system I picked were, for servers:
- CENTOS 4 (method: backports)
- Debian Sarge (method: backports)
- FreeBSD (method: upgrades)
- RedHat Enterprise Linux 4 (method: backports)
- Suse Enterprise Linux 9 (method: backports)
and for desktops:
- Fedora Core 4 (method: backports)
- Gentoo (method: upgrades)
- Mandriva (method: backports)
The results are:
| ClamAV | SpamAssassin | sudo | |
|---|---|---|---|
| (fixed) | 2005-06-23 | 2005-06-06 | 2005-06-19 |
| CENTOS 4 | (1) | 2005-06-23 | 2005-06-29 |
| Debian Sarge | 2005-07-06 | 2005-07-01 | 2005-07-01 |
| FreeBSD | 2005-06-24 | 2005-06-08 | 2005-06-21 |
| RHEL4 | (1) | 2005-06-23 | 2005-06-29 |
| SLES9 | 2005-06-29 | 2005-06-22 (2) | 2005-06-24 |
| FC4 | (1) | 2005-06-16 | 2005-06-21 |
| Gentoo | 2005-06-27 | 2005-06-21 | 2005-06-23 |
| Mandriva | (3) | 2005-06-28 | 2005-06-21 |
(1) The distribution does not include this package, there is nothing to patch
(2) SLES9 includes an old version of spamassassin that is immune to the vulnerability. The published date is for the suse9.3 patch and is for reference only.
(3) There is no patch published yet.
As you can see, Debian is certainly falling behind everybody. This is still no Microsoft land where you can expect patches months after a vulnerability is discovered, but certainly things can improve. The debian-security list has been very active lately, and the security team will be more active. Michael Stones’s vulnerability announcements are just the beginning.
Debian is bigger than their problems. A lot bigger.
(And of course, FreeBSD is the fastest to solve vulnerabilities, mainly because they don’t backport)
Comments (6)
Uyy tio se arma
True.
Debian needs some new way to receive contributions from their users/developers. And also some new developers now that Canonical Ltd. took a good part of them.
Could this new way perhaps resemble the structure that is used for Linux kernel development? You have one, or a few people who receive high quality packages, packages and tweaks, and around them you have dozens, or perhaps hundreds of debian developers who act as a bridge between the community, companies and users and the core team. They would be situated similar to Linus’ liutenants.
yesss
Excelent analysis, you should update it.
This is why I run FreeBSD in ALL my production servers, debian in my workstation and ubuntu in my laptop. Use the best tool for the job. Period.