Debian shows how security snafu should be handled

Sam Varghese
Thursday, 29 May 2008 22:32

Opinion and Analysis

"I am satisfied that the problem has been dealt with well; however, it is a pity that it was a problem at all and most unusual in the Debian world which normally prides itself on keeping the distro well secured," he said. "Many people whom had earlier generated certs would have been fine. The biggest problem would be all the certs that were created by the Debian (and related distros) for use on other servers - there is a good chance that many people wouldn't have any idea that they might be affected by this issue."

He said that for those using Debian and keeping up to date, there should be no problem and for them it would be old news; however, for anybody else who relied on a certificate that they didn't generate or was generated for them during the vulnerable period on the 'right (wrong)' servers, "well I'm sure that they would appreciate an article.  I would wonder if the other distros' security lists have discussed the potential problems and risks."

Another member of the MLUG list, Robert Spykerman, who describes himself as a "dabbler" and one who only utilises PCs for his personal use, said: "I only became aware something was afoot when I was doing a scan for updates and saw the ssl libs were due for an update which struck me as a bit odd. At this stage, I do not recall the anouncement had been made."

He said the positives were that Debian was open enough about it and the patches were quick, "before the announcement I believe."

On the downside, apart from the wide-ranging impact, he cited the fact that it took nearly two years to discover what had happened. Secondly, he said the package maintainer did not understand what he was doing, in such a critical library. "Clearly he wasn't aware of what he wasn't aware of, if that makes sense. In hindsight it looks so foolish, but I'm not sure what I would have done if I was in his position at the time (actually, I probably wouldn't have done it but that's easy to say now)."

He also said not feeding back the patch upstream to the original developers properly (especially in the light of the second downside) and releasing the announcement and the patches
at the same time would have made for better management.

"Some people have been highly critical about the Debian guys screwing around with source they did not originate, but I do not believe this is solely a Debian issue. I wonder how many rpms have actually had their source altered by Red Hat et al," he added. "Unless you build everything from the original source I think you might expect some tampering in packages by distro makers/package mantainers."

A third list member, Rich Healey, pointed out that, as far his knowledge went, all distributions applied their own patches. "One of the main things that distinguishes a distro from LFS is that you get a series of patches that the distro's maintainer feel are appropriate/beneficial. For example, diff the source of a Debian kernel with that of a Mandriva (kernel) or vanilla (kernel)," he said.

Unfortunately, the other LUG, the Linux Users of Victoria, did not think my post seeking reactions to the bug merited exposure; in sharp contrast to the openness displayed by the other group, my message never made it to their mailing list even though it was aimed at the list which is meant for chatting "to like minded people about anything at all". All I received was an automated message that my message was waiting for approval. And that was on the evening of May 27.

Opennness, I guess, has its limits. We're just lucky that projects like Debian take it seriously.