Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Thursday, 29 May 2008 21:32

Debian shows how security snafu should be handled

When mistakes occur within a free software project what does the head of such a group do? Does he or she run and take cover, try to justify the error by blaming others, or stand up and take the heat with an honest admission of error?

No matter the amount of pain caused by the OpenSSL bug which surfaced in the Debian GNU/Linux distribution earlier this month due to a developer's error two years ago, one has to hand it to the project for its reaction to what is the worst security snafu in the 15 years of its existence.

The advisory about the bug did not try to minimise the seriousness of the situation, neither did it try to spin regarding the cause. It was an old-fashioned geek advisory which set out things as they were. Florian Weimer, who issued the advisory, did not mince words. And the advisory came after a fix was in place, after tools for testing were on offer. In short, it was a well-organised affair.

Then there was the reaction of Debian project leader Steve McIntyre. The man did not try to duck when iTWire contacted him. He was nothing if not straightforward.

"The OpenSSL bug was an unfortunate mistake by one of our developers that has led to quite a lot of pain for many people, both inside our development community and elsewhere. For that, we must apologise and promise to do better in future," McIntyre said.

"There is a lot of discussion ongoing on our main development channels right now while we thrash out ways to improve our processes. We want to get more code review, both internally in Debian and with our upstream developers."

He added: "One of our strengths, and one of the reasons why our users tell us that they like and trust us so much, is that we don't try to hide our problems. We'll learn from the mistakes made here and, I hope, regain some of the trust we have lost."

One line of discussion on the developers' mailing list was kicked off by Joey Hess who proposed the idea that any changes to the sources from upstream be considered a bug; a second came from Raphael Hertzog who outlined a method of handling Debian patches to make them more visible.

(Debian developers make changes to packages due to one reason or another. One of the better known changes is the renaming of the Firefox browser as Iceweasel and the Thunderbird mail client as Icedove; these name changes were made because the Mozilla Corporation asked the project to stop using the name 'Firefox' in its version of Firefox, unless the fox on a globe logo was used. The logo could not be used because its copyright license is not free and violated the Debian free software guidelines. Further, even if the logo could somehow be used, the Mozilla people wanted to vet every patch applied by Debian before a package called Firefox containing it was released. This, plainly, was not a workable solution).

When a bug such as the OpenSSL one is disclosed, how do ordinary users react? How does the IT consultancy which is a small business - or often a one-man outfit - cope? To get an idea, I posted a message to both the local Linux user groups and asked for reactions.

The Melbourne Linux User Group continued the Debian tradition of openness and allowed my post to go through. List admin Mark Campbell jocularly commented that only Red Hat and its derivatives were of significance any more!

IT consultant Andrew McGlashan, who runs mostly the stable distribution (Etch) on servers, said he had to recreate some certificates and re-do the certificate authority as well. "Most access to my servers is limited to known and accepted IP addresses for anything requiring 'real' security though.  Email and https are a little more," he added.

McGlashan said he thought the information was disclosed well enough on the Debian security mailing list and there was plenty of help for anyone who needed it to get sorted out after the problem was fixed.

"I am satisfied that the problem has been dealt with well; however, it is a pity that it was a problem at all and most unusual in the Debian world which normally prides itself on keeping the distro well secured," he said. "Many people whom had earlier generated certs would have been fine. The biggest problem would be all the certs that were created by the Debian (and related distros) for use on other servers - there is a good chance that many people wouldn't have any idea that they might be affected by this issue."

He said that for those using Debian and keeping up to date, there should be no problem and for them it would be old news; however, for anybody else who relied on a certificate that they didn't generate or was generated for them during the vulnerable period on the 'right (wrong)' servers, "well I'm sure that they would appreciate an article.  I would wonder if the other distros' security lists have discussed the potential problems and risks."

Another member of the MLUG list, Robert Spykerman, who describes himself as a "dabbler" and one who only utilises PCs for his personal use, said: "I only became aware something was afoot when I was doing a scan for updates and saw the ssl libs were due for an update which struck me as a bit odd. At this stage, I do not recall the anouncement had been made."

He said the positives were that Debian was open enough about it and the patches were quick, "before the announcement I believe."

On the downside, apart from the wide-ranging impact, he cited the fact that it took nearly two years to discover what had happened. Secondly, he said the package maintainer did not understand what he was doing, in such a critical library. "Clearly he wasn't aware of what he wasn't aware of, if that makes sense. In hindsight it looks so foolish, but I'm not sure what I would have done if I was in his position at the time (actually, I probably wouldn't have done it but that's easy to say now)."

He also said not feeding back the patch upstream to the original developers properly (especially in the light of the second downside) and releasing the announcement and the patches
at the same time would have made for better management.

"Some people have been highly critical about the Debian guys screwing around with source they did not originate, but I do not believe this is solely a Debian issue. I wonder how many rpms have actually had their source altered by Red Hat et al," he added. "Unless you build everything from the original source I think you might expect some tampering in packages by distro makers/package mantainers."

A third list member, Rich Healey, pointed out that, as far his knowledge went, all distributions applied their own patches. "One of the main things that distinguishes a distro from LFS is that you get a series of patches that the distro's maintainer feel are appropriate/beneficial. For example, diff the source of a Debian kernel with that of a Mandriva (kernel) or vanilla (kernel)," he said.

Unfortunately, the other LUG, the Linux Users of Victoria, did not think my post seeking reactions to the bug merited exposure; in sharp contrast to the openness displayed by the other group, my message never made it to their mailing list even though it was aimed at the list which is meant for chatting "to like minded people about anything at all". All I received was an automated message that my message was waiting for approval. And that was on the evening of May 27.

Opennness, I guess, has its limits. We're just lucky that projects like Debian take it seriously.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments