LWN.net Weekly Edition for July 21, 2005

Debconf5: Structural Evolution

Debconf5, the sixth annual Debian Conference, recently descended upon the Helsinki University of Technology (HUT) in Espoo, Finland. LWN reporter Rebecca Sobol was privileged to attend this year's event.

Hundreds of Debian developers, maintainers, translators, users and fans joined together for an overflowing week's worth of talks, BOFs, hacking and partying. Debian GNU/Linux is the largest distribution project in many ways; lots of developers (around 200 Debian Developers plus scores of package maintainers, documentation authors and translators), support for more architectures, lots of packages (nearly 15,000 binary packages are available), more derived distributions using it as a base, and soon even a choice between Linux and Hurd kernels. The Debian community is massive and scattered around the globe.

During the year these people keep in touch through a variety of mailing lists and IRC channels, but the annual Debconf provides people with a chance to meet face to face to talk about their favorite operating system. Each year Debconf meets in a different part of the world to make it more accessible to some portion of its global community. This year's conference in Finland brought out over ninety Finns, followed by a full gross of people from Germany, the United Kingdom, the United States, Sweden, Spain and Norway. It was also accessible to a handful of people from the Russian Federation and other parts of Eastern Europe. A few traveled greater distances to come from South America, New Zealand and Fiji. All told, there were people from over thirty countries at this year's event.

Debian is large, and it is all volunteer. A few people have found or created jobs for themselves where they can be paid to work on Debian, at least part of the time, but they are in the minority. The organization is guided by a social contract and maintains a strong commitment to software freedom.

Bdale Garbee, long time Debian developer and former Debian Project Leader gave a talk on Debian's Structural Evolution, subtitled Musings on Debian, Today and Tomorrow. He has serious concerns that Debian has grown too large for its infrastructure. For example, each year Debian developers elect a Project Leader. For nine weeks each year a few prominent Debian developers cease working as a team to compete for a job that has grown too complex for a single person. Only Debian developers are allowed to vote, leaving hundreds, or more likely thousands of Debian volunteers and users with no say whatsoever.

Some of Debian's infrastructure is ably provided by Software in the Public Interest (SPI). However too few Debian developers are involved in SPI, which oversees many other projects. Also it not in SPI's mandate to provide technical guidance, that is the role of the Technical Committee. Bdale finds the committee, as currently defined, is not particularly satisfying. The committee could use a periodic review and refresh, which is currently not happening.

The current DPL, Branden Robinson started Project SCUD as an attempt to address some of these issues while working within the constraints of the Debian constitution. However Bdale (a member of SCUD) finds that the relationship between the DPL and the project is not clear. The team is self-selected and does not include a representative sampling of Debian project participants.

Perhaps it is time to replace the DPL and Technical Committee with an elected leadership board. Candidates would be motivated to campaign on their teamwork skills and more people would be willing to be involved in Debian's leadership. Perhaps a way could be found to allow the greater Debian community a voice in this process. Perhaps this would make Debian even stronger.

Comments (10 posted)

Delays in security updates

There are a number of reasons that users choose Linux, but security is one of the most often-cited reasons. While Linux distributions certainly see their fair share of security issues, updates are usually issued in a timely fashion.

However, there are times when the process gets bogged down. Security updates for Debian, for example, were not going out in a timely fashion for some time. As reported in Branden Robinson's Debian Project Leader Report for July, security updates were interrupted for some time. This has also been reported in the mainstream press, though members of the Debian team take issue with the actual reporting.

Looking at the security advisories for 2005, one thing that is clear is that no security updates were issued through most of June. There are no updates from June 4 through June 29. Updates resumed on June 30, and there have been a steady stream of updates since then. We e-mailed Martin Schulze about the Debian security delays, and he confirmed the time period.

That is quite a delay for some of the updates. For example, the sudo vulnerability, for example, was addressed in Debian on July 1 for Woody and Sarge. The Fedora Core team released an update for this vulnerability for Fedora Core 3 and Fedora Core 4 on June 21, and Ubuntu released an update on June 21st for Hoary (5.04) and Warty (4.10). Updates for Gaim's recent vulnerabilities were issued on June 16 for FC3 and FC4, and June 10 and June 15 by the Ubuntu team, respectively -- but not for Debian until July 5.

In an e-mail, Schulze said that he didn't know all of the details of the problems that delayed updates, but explained way the process is supposed to work:

In the Project Leader Report, Robinson points out that there was a failure in infrastructure and communication:

Robinson has also proposed making the security team DPL delegates, and points out that now would be a good time to add new members to the security team roster. Whether that has happened or not, however, remains up in the air. Schulze said that adding new members would be "discussed inside the security team". Robinson has not replied to e-mails asking about the security delays.

Schulze also said that the backlog of security updates that built up through June should be cleared out by now.

Around the same time, the Fedora Legacy project's security updates also seem to have been bottled up. The Fedora Legacy project has a gap for updates between June 5 and July 9, for all Red Hat and Fedora distributions supported by the Fedora Legacy project, Red Hat 7.3 and 9.0, and Fedora Core 1 and Fedora Core 2.

Some of the updates that were released in July by Fedora Legacy were rather tardy indeed. For example the GNU Mailman advisory (CAN-2005-0202), was fixed by other distributions back in February. The PHP advisory on July 10 from Fedora Legacy was addressed back in April by Gentoo, Mandriva and others. (Debian's fix for this bug came out in May.) This post on the Fedora Legacy mailing list from Jesse Keating acknowledges that the legacy project has longer lead times on security updates.

It would seem that Debian's infrastructure problems have been solved, at least for now. However, the gap in updates is somewhat alarming. As a rule, Debian has often been one of the first distributions to issue security updates and advisories, and has developed a well-deserved reputation for being quick to respond to security issues. We hope that the delay in updates while the project was transitioning from Woody to Sarge is a one-time issue, and that the transition from Sarge to Etch, whenever that happens, will happen more smoothly.

The importance of speedy security releases can't be emphasized enough. Aside from the obvious PR problems when a distribution is behind in updates, Linux users need to be able to depend on updates as soon as they can be made available so that they are not subject to exploits any longer than is absolutely necessary.

Comments (2 posted)