SLUG Mailing List Archives
[SLUG] A comment on Linux Security Reviews
- To: seifried@xxxxxxxxxxxxxxxxxx
- Subject: [SLUG] A comment on Linux Security Reviews
- From: Jeff Waugh <jdub@xxxxxxxxxxx>
- Date: Wed Jul 26 17:06:21 2000
- Cc: Sydney Linux Users Group <slug@xxxxxxxxxxx>
- User-agent: Mutt/1.2i
Another member of SLUG (the Sydney Linux User Group), Ken Yap, lobbed in
another of his classic One Line Link grenades, pointing to your review of
various distribution's security:
My response (or, meta-review):
Argh! Same-old same-old.
"We didn't do Debian because it's not new." (Translation: We didn't do
Debian because we didn't make the effort to understand how the system
Two examples of Debian installations:
1) SLUG Server: Installed from three floppies a very minimal version of
slink, which is the official 'stable' version. Put the machine on the
network and within twenty minutes had potato installed, which is the
official 'frozen' version. The machine is automatically updated to recent
versions of the software in the potato archive.
2) My Desktop: Installed potato from CD and within an hour had woody
installed, which is the official 'unstable' version. The machine is
manually updated to recent versions of the software in the woody archive.
Two snags so far in woody: The php4-gd package (drawing functions etc) was
borked, so couldn't be installed with the newer php4, given the offer to
hold off upgrading all of the dependent packages. The openssl library has
been updated, but a lot of the software hasn't, if I were to install the
library, that software would have to be removed. Again, given the option to
hold the upgrade.
The beauty of Debian is that the idea of a distribution "version" goes out
the window. You progressively upgrade the important parts: The software. The
concept of a static, one-time software release for operating systems is old
hat, especially considering the complexity of modern systems and their mass
of inter-reliant software.
Question: You like your software developed by many, modified by many,
enhanced by many, and open to many, right? Why not choose a distribution
that is built under the same scrutiny (the 'bazaar'), rather than
entrusting this critical step in the formation of a stable operating
system to cathedral-style methods?
A thorough examination of the best method of:
a) Building the foundations of a complex array of software, and,
b) Distributing and updating that software
would have proven the authors credibility when reviewing security in the
Linux 'marketplace'. An article and review on security is not going to be of
interest to a desktop user (or, at least, shouldn't be necessary), and hence
the argument that updating Debian "is too hard" won't stick.
With apologies to 'Doc' at the end of Back to the Future,
"Where we're going, we don't need versions."
- Jeff (Ranty-Pants) Waugh
-- jdub@xxxxxxxxxxx ----------------------- http://linux.org.au/installfest/
I am Jack's implicit trust of ActiveX & VBScript. http://slug.org.au/