LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Distributions page

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for September 4, 2008

The Kernel Hacker's Bookshelf: UNIX Internals

DRI, BSD, and Linux

SCHED_FIFO and realtime throttling

LWN.net Weekly Edition for August 28, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Debian adds security support for testing

[Posted September 9, 2005 by corbet]

From:  Joey Hess <joeyh-AT-debian.org>
To:  debian-devel-announce-AT-lists.debian.org, debian-user-AT-lists.debian.org
Subject:  announcing the beginning of security support for testing
Date:  Fri, 9 Sep 2005 15:27:14 -0400

---------------------------------------------------------------------------
Debian Testing Security Team                            September 9th, 2005
secure-testing-team@lists.alioth.debian.org
http://secure-testing-master.debian.net/
---------------------------------------------------------------------------

Security support for testing

The Debian testing security team is pleased to announce the beginning of
full security support for Debian's testing distribution. We have spent the
past year building the team, tracking and fixing security holes, and
creating our infrastructure, and now the final pieces are in place, and 
we are able to offer security updates and advisories for testing.

We invite Debian users who are currently running testing, or who would like
to switch to testing, to subscribe to the secure-testing-announce mailing 
list, which is used to announce security updates:
http://lists.alioth.debian.org/mailman/listinfo/secure-te...

We also invite you to add the following lines to your
/etc/apt/sources.list file, and run "apt-get update && apt-get upgrade"
to make the security updates available.

deb http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib
non-free
deb-src http://secure-testing.debian.net/debian-secure-testing etch/security-updates main contrib
non-free

Alternatively, replace "secure-testing.debian.net" in the above lines with
a mirror near you:

	ftp.de.debian.org         (located in Germany)
	ftp.nl.debian.org         (located in the Netherlands)
	the.earth.li              (located in UK)
	ftp2.jp.debian.org        (located in Japan)
	farbror.acc.umu.se        (located in Sweden)

Some initial advisories have already been posted to the list and are already
available in the repository. These include:

[DTSA-1-1] New kismet packages fix remote code execution
[DTSA-2-1] New centericq packages fix multiple vulnerabilities
[DTSA-3-1] New clamav packages fix denial of service and privilege escalation
[DTSA-4-1] New ekg packages fix multiple vulnerabilities
[DTSA-5-1] New gaim packages fix multiple remote vulnerabilities
[DTSA-6-1] New cgiwrap packages fix multiple vulnerabilities
[DTSA-7-1] New mozilla packages fix frame injection spoofing
[DTSA-8-1] New mozilla-firefox packages fix several vulnerabilities
[DTSA-9-1] New bluez-utils packages fix bad device name escaping
[DTSA-10-1] New pcre3 packages fix buffer overflow
[DTSA-11-1] New maildrop packages fix local privilege escalation
[DTSA-12-1] New vim packages fix modeline exploits
[DTSA-13-1] New evolution packages fix format string vulnerabilities

Note that while all of Debian's architectures are supported, we may release
an advisory before fixed packages have built for all supported
architectures. If so, the missing builds will become available as they
complete.

We are not currently issuing advisories for security fixes that reach
testing through normal propagation from unstable, but only for security
fixes that are made available through our repository. So users of testing
should continue to upgrade their systems on a regular basis to get such
security fixes. We might provide information about security issues that
have been fixed through regular testing propagation in the future, though.

Note that this announcement does not mean that testing is suitable for
production use. Several security issues are present in unstable, and an
even larger number are present in testing. Our beginning of security
support only means that we are now able to begin making security fixes
available for testing nearly as quickly as for unstable. The testing
security team's website has information about what security holes are still
open, and users should use this information to make their own decisions
about whether testing is secure enough for them.

Finally, we are still in the process of working out how best to serve users
of testing and keep your systems secure, and we welcome comments and
feedback about ways to do better. You can reach the testing security team
at secure-testing-team@lists.alioth.debian.org.

If you want to become a mirror, please see
http://secure-testing-master.debian.net/mirroring.html

Debian developers who would like to upload fixes for security holes in
testing to the repository can do so, following the instructions on our web
site.

For more information about the testing security team, see our web site,
http://secure-testing-master.debian.net/

----------------------------------------------------------------------------

The archive signing key that is used to sign the apt repository is
included below and can also be downloaded from
http://secure-testing-master.debian.net/ziyi-2005-7.asc

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (GNU/Linux)

mQGiBEMM7wgRBACs/rcYtu++PqBV5t6qTf9FsjJYZV4OUoQmtK849PdHUoVONh/b
yz0vmP4QPCJXraFYiiiaur8WLcOphwY3DFaz0quozxl3pZfJjN27qDdTTDUKk1Kq
zFQYTsDaXjSh0nRGW3gFmbyIqTL8sVGOAAz2KbrtLEQE11qYZjzvylEf4wCgv6ss
HgQ7AcSBjpvm72e9PvSuDhMD/1kV0Snq9ilvCv7QLHBo/JnNgiCwxh5nEnPWHYjo
SB0I99nuFMAzooAXTQhU3Hx1/sdZ3SMk1hWwZCPI0iNqESH2a3ib0YZt0DycWa3Y
KxXIJet92u3ApSMVbp6OzzL7REoNCAgg6F/lrl+lVtnHbKiKBMZlKMsp+kQLSXqr
Ki0pA/wIkkp7mJ7IiVS0fy9gueuiLqJKR6+i092J0RXsQesQX4OTC2DY3IICB22Q
HfE8WNVZ2iPuWK0ymg6GqAHplp7bfVZMzfMSTMc+hj9WnmEVRRjLH66tsq1XHGEQ
qg/mbkmeXwUwxAT1WGClcRWJqODmWE7KhkjKwGklYgzBoxwqkLRDc2VjdXJlLXRl
c3RpbmcgQXJjaGl2ZSBLZXkgMjAwNS03IDxrYXRpZUBzZWN1cmUtdGVzdGluZy5k
ZWJpYW4ubmV0PohkBBMRAgAkBQJDDO8IAhsDBQkElVcABgsJCAcDAgMVAgMDFgIB
Ah4BAheAAAoJEJRqpuGHIucecvgAoK3nnF0yEwpNeQASyerh4wxRblZzAJ9h8rEF
YldbZt/zYA53k2/y2m+s7LkCDQRDDO8gEAgAm1Y/a//sVe6fEANvLc5M5pEsoRkP
LNKcH1O/og2mID8/gBV99LRfRnjcV8xhF5cWIlb4Es3KvQxmvxo6zGEfsMJWoezq
H+2agIra78dfb0B1AyHuvwSRMc9sVy+3CuegM8bD3ss+4ta3rNLChpVrE8DxJZum
ecqkNSQVOkqeAOl2JIQ/xBkLg1hjQA8bXW5AiUu4/XAQAe04w7YNfdsApeCfpKEW
Atg54CD9uRbfSwnd2uYHYcosmBMhryNrHy27RkyS0BFWaL/1gfBqua7VujcnCm6S
nbhB4t3vk/AnEsPJixtW/tOC3a3BaPqGsTq848e/PzmWY/8y9mvXwbxq5wADBQgA
gNtB3u8TCN2Z4wkKrg19LohivQzJCXFfRi2ZydOe9E3SbSi6ggthjvGhHv2lTHEu
e/4wBOta3a9pUpVdMgRFL1UuJy3nPd1yPC0dOegJj+lMkeMGcdKolJUMdoA+ieZ2
lwkrT1b5GdFBSRn8hsuRtZi69QtzoHzDR5lg9ynwTJ+mLlO8r83HmdxbXsnmGlxy
ZWRoqiSIl7mRLHp2tuFw9chgJ1nqwewTmCj85Aj/YsbGmqOJcnp98Jk0GDiP/le4
rktZAqG2blwVpC2DLLiQSqcYS5jjq/iiGnYEIVG+nPa/29OuoX40zwKqBcy5I8rJ
ZIq2hzbazsyg2Sd3vhmZuohPBBgRAgAPBQJDDO8gAhsMBQkElVcAAAoJEJRqpuGH
IuceRqUAn3Q8msRUTsp882QINWyy5fqTehb5AJ9+kz3xq+7ooAwkdgpNOiz7ogxp
Qg==
=KBNL
-----END PGP PUBLIC KEY BLOCK-----

-- 
see shy jo
(Log in to post comments)

Debian adds security support for testing

Posted Sep 9, 2005 19:53 UTC (Fri) by peace (guest, #10016) [Link]

Go Debian!

I'm amazed that they feel they can pull this off given the history of their release schedule. It reflects very well on the leadership and maintainers. This will make Debian a very interesting choice for the desktop as being able to run fairly bleeding edge apps, with security updates, is something I have not seen in any other distribution.

I wounder how the availability of these packages will effect Ubuntu. If Debian can really be agile and current it might be nice to see Ubuntu work from within Debian as a great preconfigured desktop option. Basicaly get rid of the *-ubuntu packages and use Debian main line.

Kind Regards

Debian adds security support for testing

Posted Sep 9, 2005 19:57 UTC (Fri) by NightMonkey (subscriber, #23051) [Link]

This will make Debian a very interesting choice for the desktop as being able to run fairly bleeding edge apps, with security updates, is something I have not seen in any other distribution.

Except Gentoo, perhaps? Or maybe you didn't see that.

Debian adds security support for testing

Posted Sep 9, 2005 20:30 UTC (Fri) by peace (guest, #10016) [Link]

I thought of Gentoo as I wrote that but wasn't aware that they had security updates for testing, at least not as an official policy. Obviously if a package maintainer wants to keep their testing tree updated with security patches they can. The last I saw Gentoo was still working out the security patch system for the stable tree, but that was awhile ago now. Anyway, as usual, Gentoo also does X.

Kind Regards

Debian adds security support for testing

Posted Sep 11, 2005 3:06 UTC (Sun) by ferringb (subscriber, #20752) [Link]

Gentoo doesn't have 'testing' keywords; strictly stable/unstable; that said, we already have security teams for all arches, plus usual glsa postings (with tools for upgrading just the pkgs that are affected).
(Thoroughly offtopic, just correcting misview) :)

Debian adds security support for testing

Posted Sep 11, 2005 15:50 UTC (Sun) by peace (guest, #10016) [Link]

Hmmm, what are the ~x86 and -x86 keywords for if not testing /and/ unstable?

Good to know there is a dedicated security effort.

One thing about Gentoo, you sure can't say anything about it without being corrected! :) (this is a good thing, it's got a very active and helpful community. Even though it's hard to peg down it's ever evolving features.)

Kind Regards

Debian adds security support for testing

Posted Sep 12, 2005 12:59 UTC (Mon) by farnz (subscriber, #17727) [Link]

Gentoo has three keywords per architecture:
  1. Plain arch (e.g. "x86"). This is used for software believed to be stable on that architecture.
  2. ~arch (e.g. "~x86"). This is used for software that needs testing on that architecture (but should work).
  3. -arch (e.g. "-x86"). This is used for software that is known not to work on that architecture (such as binary-only software, or things like arcboot which depend on a specific architecture).
In addition, you've got masked packages (which are in the tree if you want to use them and give feedback, but which are expected to break - think GNOME and KDE alphas, for example), and unkeyworded packages (which are not known to work or fail on that architecture).

Debian adds security support for testing

Posted Sep 9, 2005 20:55 UTC (Fri) by neilm (subscriber, #28422) [Link]

I wounder how the availability of these packages will effect Ubuntu. If Debian can really be agile and current it might be nice to see Ubuntu work from within Debian as a great preconfigured desktop option. Basicaly get rid of the *-ubuntu packages and use Debian main line.
Unfortunatly, this probably won't happen.

Ubuntu freezes Sid when they release, and thus there may be no equivilent package in Debian.

  1. 1.0-1 is uploaded to unstable, but doesn't reach testing due to it not building on $arch_which_ubuntu_ignores.
  2. Ubuntu snapshots Sid
  3. 1.1 is uploaded to unstable, which fixes some bugs, and introduces some more features. It reaches testing.

Now Ubuntu has a version which Debian doesn't and won't be able to provide security support for.

Debian adds security support for testing

Posted Sep 9, 2005 21:56 UTC (Fri) by dwheeler (subscriber, #1216) [Link]

But this doesn't happen in EVERY case; Ubuntu only needs to handle the cases where it does. And I suspect it's a minority case. And Debian may start to winnow architectures too (not that they're completely shedding them, but poorly-supported architectures will no longer slow down common architectures).

Debian adds security support for testing

Posted Sep 9, 2005 22:35 UTC (Fri) by peace (guest, #10016) [Link]

Ubuntu's release methodology and package management would have to change, of course. With Ubuntu's success Debian might even consider stretching a little in order to take advantage of the great work and momentum Ubuntu is generating. Consider it like the egcc/gcc split where a venerable well repsected application needed a kick in the pants by renagade upstarts to join the modern age but they all lived happily ever after. You know, "Ubuntu is what it is because of what we all are", and all that :)

Kind Regards

Debian adds security support for testing

Posted Sep 10, 2005 6:20 UTC (Sat) by lacostej (subscriber, #2760) [Link]

One of LWN latest article revealed that Debian has been quite slow lately at releasing security updates. Was that a part of the reason? Will that impact even more the timely release of future updates?

I don't know what to think...

Debian adds security support for testing

Posted Sep 10, 2005 8:51 UTC (Sat) by mbanck (subscriber, #9035) [Link]

No, stable security and testing security are provided by two different teams.

Michael

Debian adds security support for testing

Posted Sep 10, 2005 22:00 UTC (Sat) by dilinger (subscriber, #2867) [Link]

And in some cases, testing security updates are being released before stable security updates; for example, the pcre3 update for testing was released on Aug 29 [1], while the stable release came out Sept 2 [2].

The debian stable "team" is exactly one person right now, while the testing team is comprised of a number of people.

[1] http://lists.alioth.debian.org/pipermail/secure-testing-a...

[2] http://www.debian.org/security/2005/dsa-800

Debian adds security support for testing

Posted Sep 12, 2005 8:10 UTC (Mon) by lacostej (subscriber, #2760) [Link]

As a user of the stable series on several servers, I'd rather that to be the other way around...

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds