Debian drops ball on security updates

A configuration mistake in the new Debian Linux distribution has forced a fix less than 24 hours after the software was released.

"New installations (of Debian 3.1 from CD and DVD) will not get security updates by default," Debian developer Colin Watson wrote in an e-mail warning. Installations from floppy disks or network servers were not affected.

Watson apologized and asked vendors to delay burning CDs or DVDs of Debian 3.1, saying that an update would be available shortly. However, Steve Langasek--another member of the release team--said on his blog that it would probably be a day or two before the updated CDs and DVDs were available everywhere.

"Whoops," Langasek wrote. "Don't go pressing those 10,000 copies of (3.1) just yet."

The good news for those who have already installed the operating system is that fixing the problem is a simple matter of replacing an entry in a configuration file.

Version 3.1 has been long anticipated by the Debian community, as it's been three years since the last major release of the software. This cycle is significantly slower than that followed by competing Linux vendors such as Red Hat.

Debian is not the only high-profile software project to be forced to fix a security flaw shortly after the time of release.

Netscape fixed two critical flaws in the new version of its browser in a similarly short time frame after it was released late last month. Ironically, Netscape marketed the release as being able to provide users with additional security features not found elsewhere.

Renai LeMay of ZDNet Australia reported from Sydney.

[Harfeld Bilgewing]

I can't wait to read about this one on Slashdot

It sounds like something Microsoft would do, causing the world to end. But somehow we'll find that when a Linux distribution does it, it's okay.

Quality Control

Well, I am a Debian user who has been stung by the switch to Sarge on my server. I had the auto update function turned on, so it moved me from 3.0 to 3.1 without asking...and boom, now the ssh server is down. It's remotely located, and can't be rebooted until tommorrow.

The quality control of the Debian experience has been slipping lately. There are rough edges in the user interface that make it a steep learning curve. I am not talking about a fancy GUI, but rather packages that won't install without superflous errors, and it asking questions in the middle of a long install that aren't easy to answer (have them all asked at the beginning, and have some method for the user to figure out what he should answer!).

Still, Debian installs on hardware that Red Hat Enterprise won't. I have only now just started using SuSE, and am encouraged because not only did it install on the HP LP1000R without a hitch, unlike Red Hat, but it did it in a smooth and professional style without warnings and package failure like Debian.

Then, there's also gentoo.

Yeah, Slashdot people can be pretty brutal on Microsoft. Sometimes MS deserves it. But as one matures one realizes the best operating system is not a matter of religion but a matter of the right tool for the job. Sometimes that's Microsoft, sometimes it's Debian, sometimes it's OpenBSD, etc.