More Bad News on the Security Front
Today’s issue of Linux Weekly News includes a security response time comparison amongst major distros. Debian comes last on all the vulnerabilities examined bar one; here’s a summary of response times:
Debian Fedora GenToo Red Hat SuSE Ubuntu Average days 19.8 5.8 7.4 12.0 12.7 5.0 Maximum days 35 16 14 28 16 12 Minimum days 9 0 3 4 7 1 Number n/a 0 0 0 2 0 1 Number apparently unfixed 3 3 2 1 6 2
Read the article for the details (subscribers only for a couple of weeks), the above summary’s my own.
Debian’s security support has been in the press a fair bit recently, from the snafu in the installer at sarge’s release, to the failure to be ready to support the sarge release and ongoing problems with the availability of people on the security team, and a brief article in German magazine Heise late last month about security.debian.org briefly being unavailable.
Some discussion on an IRC channel following the Heise article concerned the manpower issues of the security team (of the 195 posts to Debian’s security advisory list this year, 176 have been from Martin Schulze and the remaining 19 from Michael Stone; and of the five security team members who are able to do updates, two haven’t even logged into the security archive host in over six months), included the following comments:
<aj> has there been any call for help with the security team?
<Overfiend> aj: Put out by whom?
<aj> anyone at all?
<Overfiend> aj: No. Joey won't answer my questions about delegation, so I'm not sure I have the power.
<pitti> aj: I offered to help, but Joey told me to just continue to send patches; that's fine for me
<stockholm> joey tells me there are no problems and everything goes as planned. right. :-(
(I’m aj, Branden Robinson (the Debian Project Leader) is Overfiend, Martin Pitt (who does a lot of security work for Ubuntu, which has some of the best totals above) is pitti, and Andreas Schuldei is stockholm. The Joey referred to above is Martin Schulze)
More recently, we’ve seen the establishment of the “testing-security” infrastructure entirely separately to the regular Debian security infrastructure. This is in spite of security.debian.org having had some degree of support for handling updates to testing since its creation in 2002 (just before the woody release, when it became apparent that in spite of their work on “rbuilder”, the security team simply was not able to maintain their own infrastructure).
Then there’s been the internal bickering, such as Joey’s assertions in March that the number of ports isn’t an issue in handling security support, or his public complaints when it turned out to take a while to get the various buildds updated for sarge’s release, and again and again and again afterwards.
Then, of course, there was the disavowal of security support for popular packages such as Mozilla, Firefox, and Thunderbird.
What fun.
UPDATE 2005/09/09:
There are three security bugs that LWN lists as unfixed for Debian. One’s the vim modelines bug, filed as Bug#320017 fixed in unstable on the 28th of July and with a fix uploaded to proposed-updates for the next stable release on the 30th of July which makes for a response time of three days (it was announced on the 25th of July). The second is an evolution bug, filed as Bug#322535 fixed in unstable as of the 25th of August, 15 days after it was announced on the 10th of August (also of interest may be Bug#295548, about a security update to woody in February removing evolution’s SSL functionality). The third bug is an issue in apache-ssl, which was announced on the 2nd of September, and was filed today as Bug#327210, but is as yet unfixed.