 DistroWatch Weekly |
| DistroWatch Weekly, Issue 240, 18 February 2008 |
|
Welcome to this year's 7th issue of DistroWatch Weekly! Do you trust your distribution? Does it have what it takes to provide you with important and timely updates? The issue of operating system and applications security in the era of millions of interconnected multi-user computing systems is more important than ever. In this week's issue we investigate how different Linux distributions handled the much-publicised vmsplice() privilege escalation exploit announced last week. In the news section, the Fedora developer community offers more desktop options to their users, VectorLinux announces a fast, light edition designed for old hardware, and ex-Linspire's Kevin Carmony goes doom and gloom on the CNR.com software installation service. Looking ahead, this week is likely to deliver further opportunities for heavy distro testing with the upcoming arrival of the fifth alpha of Ubuntu 8.04 and the first release candidate for Mandriva Linux 2008.1. Happy reading!
Content:
 Join us at irc.freenode.net #distrowatch
|
| Featured Story |
Distributions and security updates
One of the main Linux stories of the past week was the security vulnerability affecting a considerable range of Linux kernels. The vmsplice() system call, introduced into the kernel in version 2.6.17 (and further expanded in versions 2.6.23 and 2.6.24, which resulted in two additional vulnerabilities) was responsible for the problem. As a result of this code, an unprivileged user logged in to any of the systems running the vulnerable kernel could easily obtain root privileges by executing certain code (this is known as "privilege escalation exploit"). Millions of machines were affected.
The vulnerability was first made public on February 8th. According to the Linux kernel changelog, it was fixed the same day and a new kernel, version 2.6.24.2, was made available on February 11th. The issue was widely publicised on February 11th, when many Linux news sites ran stories describing the problem and some even linked to the code that was capable of exploiting the vmsplice() vulnerability. Although rated as "less critical" (or 2 out of 5 on the severity barometer) by Secunia and "important" (rather than "critical") by Red Hat, any multi-user system running an unpatched kernel was vulnerable, while chances of a successful system compromise also increased dramatically. Even single-user desktop machines could be compromised through an unrelated code execution exploit.
Linux distributions started releasing patches on February 11th, the same day the news became widely known. But how fast were they? Naturally, most distributions will always need some time to evaluate the best possible approach and to test the resulting updates. Much depends also on the number of kernels and products that need to be patched and tested, the availability of the distribution's security experts, work coordination across time zones, and the level of bureaucracy in each organisation. Still, from the end-user's point of view, the sooner the update is released the better.
So is your distribution affected by this vulnerability? And if it is, how would you find out? In the UNIX world, all major software vendors issue security advisories, which they distribute through a variety of channels. A dedicated security mailing list was (and still is) the most popular method of informing users, but other options, such as RSS feeds, press releases or update daemons that periodically check for updates are now also used by some distributions. Still, a security advisory is the most important document - it not only informs about a security issue in a product, it also tells the user what to do to patch the vulnerability.
A number of security advisories were published last week, shortly after the vmsplice() exploit became widely known. Debian GNU/Linux was the first to issue a fix, but within a day or two most major distros followed suit with their own announcements. Of the Linux distributions that have an established policy of releasing security advisories only Gentoo Linux has failed to publish one; although the vmsplice() issue has already been reported in Gentoo's Bugzilla, no security fix has been made available at the time of writing. (Update: Apparently Gentoo does not issue security advisories for the Linux kernel; however the vmsplice() vulnerability was fixed and announcement published on February 13th.)
Nowadays, many popular distributions don't publish security advisories. This is especially true for community projects and desktop distributions, many of which just don't have the manpower to publish formal announcements. There are even distributions that don't provide updates at all. In an ideal world, all Linux users would run a distro that does have a well-established security infrastructure and would be subscribed to their project's security mailing list, but the real world is different. Still, operating system security is something that no serious project or user should compromise on.
Many DistroWatch readers run a Linux distribution that does not appear in the above table. If you are one of them, is your operating system vulnerable to the vmsplice() exploit? It depends. As an example, PCLinuxOS does not publish formal security advisories, but looking at its current directory, all their kernel packages have a time stamp of 11 or 12 February - presumably to correct the vmsplice() issue. If you updated your PCLinuxOS installation during the last few days, you should be safe. Similarly, Linux Mint does not provide security advisories, but the distribution comes with an automatic update utility called mintUpdate, which should have picked up the kernel update from upstream (Ubuntu). Nevertheless, even if PCLinuxOS and Linux Mint do provide security updates, they are still guilty of not making update information available to their users in a clear manner.
Other users might be even less lucky. Some developers of Arch Linux have previously argued that security announcements are redundant for their distribution as it uses the "rolling package update" mechanism with continuous package updates. But a quick look at their core tree reveals that six days after the vmsplice() vulnerability was published, it still only lists the vulnerable 2.6.24.1 kernel (correction: Arch Linux released a fix on February 10th). Users of Sabayon Linux have been left completely to their own devices - the project provides no security advisories or package updates. And although Zenwalk Linux does have a security section in the forum, there is no mention of the vmsplice() vulnerability at all. Many other distributions provide very few clues on whether or not they have provided a patch for the vulnerability or even whether they are aware of it; this includes SimplyMEPIS, VectorLinux, Puppy Linux and others.
|
| Miscellaneous News |
Fedora and alternative desktops, VectorLinux Light, Kevin Carmony on the future of CNR.com
 Fedora is often seen as a predominantly GNOME-centric distribution, but ever since the project started encouraging community participation in the development work, there are signs that this old status quo is changing. At least that's how one feels after reading this interview with Sebastian Vahl, Rex Dieter and Kevin Kofler, members of the KDE Special Interest Group (SIG) at Fedora: "There has always been lots of animosity against Fedora on dot.kde.org, the KDE news site, mostly due to old gripes against Red Hat Linux 8.0 (and some of that will probably never go away, it's like the old "Qt is not free" troll which is completely obsolete, yet still comes up from time to time), but lately there have been more and more positive echoes. Doing such PR is not an easy task though, as even correcting obvious inaccuracies can be perceived as flamebait (and thus backfire). On the other front, within Fedora, we're all working on getting KDE recognized as much as possible, ensuring it gets the first class citizen treatment it deserves. All in all, I'm happy with where we're headed."
Still on the subject of Fedora and its desktops, Rahul Sundaram has announced a special Fedora 8 Xfce spin, the project's unofficial, light-weight edition: "I am pleased to announce the immediate release of a brand new and sparkling, Fedora 8 Xfce Spin. Fedora Xfce Spin is a bootable Fedora live CD image available for x86 and x86_64 architecture. It can be optionally installed to hard disk or converted into boot USB images and is ideal for Xfce fans and for users running Fedora on relatively low resource systems. This release includes the latest Xfce release, 4.4.2 that integrates many new features and bug fixes. Along with the basic Xfce desktop environment, Thunar file manager and a comprehensive set of plugins and additional Xfce utilities like Xarchiver archive manager and Orage calendar application is included. All available languages in Fedora has also been integrated with this release." The live CD images are available for download from here: Fedora-8-Live-XFCE-i686.iso (620MB, SHA1, torrent). Fedora-8-Live-XFCE-x86_64.iso (687MB, SHA1, torrent).
* * * * *
 VectorLinux originally started as a light-weight distribution designed for older hardware, a market long abandoned by most major distro makers. Although the project later also expanded to cover general office computing needs with its SOHO edition, VectorLinux Basic still remains an operating system with a reasonably light footprint. However, to satisfy users who wish to run the Slackware-based distribution on very old hardware, the project announced last week the release of VectorLinux Light: "VectorLinux announces the newest member of the VL5.9 family: VL-Light. VL-Light turns an ageing PC into a usable computer again. Living up to the VL motto of 'When Choice Matters,' we give you lots of choices in a small package. We have included JWM and Fluxbox Window Managers, Xfe and PC Man file manager, Opera, Dillo and Lynx Web Browsers, xine, MPlayer, and XMMS for multimedia, and AbiWord and Gnumeric for office tasks." The first beta of the installation CD is available for download from here: VL5.9-Light-B1.iso (334MB, MD5).
VectorLinux 5.9 "Light" edition running the default JWM desktop
(full image size: 603kB, screen resolution: 1280x1024 pixels)
* * * * *
 Kevin Carmony, a controversial former CEO of Linspire who recently switched his allegiance to Ubuntu, has written an interesting blog entry on the current state of CNR.com, Linspire's flagship software distribution service. Since Linspire has not made enough effort to maintain a good working relationship with Ubuntu, he argues that CNR.com (and, by extension, possibly even Linspire and Freespire), is likely to fail: "Unfortunately, since leaving Linspire, it appears the Ubuntu relationship is on the rocks. I know since I switched to Ubuntu, I haven't even bothered trying CNR.com. The built-in software management system Ubuntu has is a better experience, and all they need to do is add a commercial piece (easy enough for them to do), and they'd have little use for CNR.com. It would appear Linspire has figured this out as well and sees the writing on the wall, and that without Ubuntu, CNR.com will fail."
|
| Released Last Week |
LinuxTLE 9.0
LinuxTLE is a Thai community distribution based on Ubuntu, with emphasis on complete support for Thai throughout the user interface. A major new update, version 9.0 "Hua-Hin" and based on Ubuntu 7.10, was announced today. Some of the new features in this release include: support for 3D desktop features with Compiz Fusion; Iceweasel with pango-ligature and LibThai patches for Thai support; Thai-enabled OpenOffice.org 2.3.0; new fonts (Arundina, Angasana, Cordia); updated Thai scalable fonts by TLWG; introduction of the Brasero CD/DVD burning application and DisplayConfigGTK display configuration utility; new artwork and desktop theme. Please read the full release announcement (in Thai) for further details.
LinuxTLE 9.0 - an Ubuntu-based community distribution for Thai speakers
(full image size: 799kB, screen resolution: 1280x1024 pixels)
Parted Magic 2.0
Patrick Verner has announced the release of Parted Magic, a specialist live CD designed for hard disk partitioning tasks: "Parted Magic 2.0 is finally released! GParted has been forked to VisParted to add features GParted doesn't have. VisParted can read and write volume labels for most supported file systems. Point and click disk wiping was added. When you mount a partition with VisParted, a Thunar window will open at the selected location. Desktop icons are automatically created for mounted CDs, DVDs and USB flash drives. The boot menu is all new and all the boot options can be displayed by hitting F1. Networking and Firefox were added to surf the web, to get help and to view the online documents. A simple 7zip package management system was created so users can add their own stuff with little effort." Visit the project's news page to read the release announcement.
Parted Magic 2.0, running the recently forked VisParted graphical hard disk partitioning tool
(full image size: 486kB, screen resolution: 1280x1024 pixels)
SLAX 6.0.0
Tomáš Matějíček has announced the final release of SLAX 6.0.0: "SLAX 6 is released. What's new? First, SLAX is officially released in two forms - ISO and TAR. The ISO format (labelled as 'SLAX for CD') is to be burnt to a CD, while the TAR format (labelled as 'SLAX for USB') is for all who need to run SLAX directly from USB media or from a disk. Simply unzip the tar archive directly to your device (to its root directory, it will create 'boot' and 'slax' subdirectories). That's almost all; you only need to make it bootable. For that purpose, navigate to the 'boot' directory and find bootinst.sh (if you are in Linux) or bootinst.bat (if you are in Windows). Run it. Linux users will need to use root account for that. The script will set up the device to be bootable. If you are using 'SLAX for USB', you will notice that all the changes you made are permanent." Read the rest of the release announcement for more information.
SLAX 6.0 - the default desktop
(full image size: 621kB, screen resolution: 1280x1024 pixels)
Debian GNU/Linux 4.0r3
Joey Schulze has announced the availability of the third update to Debian GNU/Linux 4.0: "The Debian project is pleased to announce the third update of its stable distribution Debian GNU/Linux 4.0. This update mainly adds corrections for security problems to the stable release, along with a few adjustment to serious problems. The installer has been updated to use and support the updated kernels included in this release. This update also includes stability improvements and added support for SGI O2 machines with 300 MHz RM5200SC (Nevada) CPUs. Flashplugin-nonfree has been removed, as this is closed source and we don't get security support for it. For security reasons, we recommend to immediately remove any version of flashplugin-nonfree and any remaining files of the Adobe Flash Player. Tested updates will be made available via backports.org." Read the rest of the release announcement for a detailed list of all changes.
Greenie Linux 1.2.8 "Battle For Wesnoth"
Stanislav Hoferek has announced the release of Greenie Linux 1.2.8, "Battle For Wesnoth" edition, a live CD featuring the latest version of the popular game. The freely downloadable CD image contains a light-weight operating system based on Xubuntu 7.10 with Linux kernel 2.6.22, Xfce, Wesnoth 1.2.8 with additional campaigns, Poedit (for Wesnoth translators), Gedit with ability to view WML syntax, GIMP 2.4, AbiWord, Xfmedia player, Firefox, Pidgin and gFTP (to send files over Internet). On the CD there are also binaries for Windows (Wesnoth stable 1.2.8, development 1.3.16) and Wesnoth 1.2.8 source code. Also Poedit is here for Windows, Mac OS X and Ubuntu. This is an installable live CD for players, WML programmers and translators. More information is available on the distribution's web site (in Slovak; the live CD itself is in English).
* * * * *
Development, unannounced and minor bug-fix releases
|
| Upcoming Releases and Announcements |
|
Summary of expected upcoming releases
|
| DistroWatch.com News |
New distributions added to waiting list
- Damn Small Solaris. Damn Small Solaris is a minimalist build of OpenSolaris that fits on a 64MB live CD. The project's web site is in Russian.
- NuFW.Live. NuFW.Live is a KNOPPIX-based live CD featuring NuFW, a firewall that adds user-based filtering to Netfilter.
- Tartuga. Tartuga is an remastered build of Damn Small Linux with extra software and functionality.
* * * * *
DistroWatch database summary
And this concludes the latest issue of DistroWatch Weekly. The next instalment will be published on Monday, 25 February 2008.
Ladislav Bodnar
|
|
| Tip Jar |
If you've enjoyed this week's issue of DistroWatch Weekly, please consider sending us a tip.
(Tips this week: 0, value: US$0.00) |
|
|
|
 bc1qxes3k2wq3uqzr074tkwwjmwfe63z70gwzfu4lx  lnurl1dp68gurn8ghj7ampd3kx2ar0veekzar0wd5xjtnrdakj7tnhv4kxctttdehhwm30d3h82unvwqhhxarpw3jkc7tzw4ex6cfexyfua2nr  86fA3qPTeQtNb2k1vLwEQaAp3XxkvvvXt69gSG5LGunXXikK9koPWZaRQgfFPBPWhMgXjPjccy9LA9xRFchPWQAnPvxh5Le paypal.me/distrowatchweekly • patreon.com/distrowatch |
|
| Extended Lifecycle Support by TuxCare |
|
|
| Reader Comments • Jump to last comment |
1 • Arch Kernel (by bkk_m on 2008-02-18 11:48:45 GMT from Thailand)
FYI, Arch Kernel has been patched on Feb 10.
http://cvs.archlinux.org/cgi-bin/viewcvs.cgi/base/kernel26/pre-2.6.24.2.patch
2 • No subject (by Jimbo on 2008-02-18 11:51:21 GMT from United Kingdom)
Oooooh! An XFCE version of Fedora. Just what the doctor ordered. I'll have to give that a try.
3 • No subject (by Anonymous on 2008-02-18 12:09:49 GMT from Romania)
> And although Zenwalk Linux does have a security section in the forum,
> there is no mention of the vmsplice() vulnerability at all.
Ladislav, you're not informed. The security section is useless anyway, as the last announcement is from 2006/12/29 (you can , but it has been a discussion on that issue (in French): http://forum.zenwalk.fr/forum-t220-p1,vulnerabilite-du-noyau-criticite-5-sur-5.html
They have not patched it as of yet, and they weren't very keen to do it.
> Many other distributions provide very few clues on whether or not [...]
> this includes SimplyMEPIS, VectorLinux [...]
Once again, this is wrong. Vector Linux has taken a peculiar way of patching the issue: a kernel module that would prevent the vmsplice syscall was issued on Feb. 11:
http://vectorlinux.osuosl.org/veclinux-5.9/patches/kernel/novmsplice-1.0_2.6.22.14-i586-1vl59.meta
http://vectorlinux.osuosl.org/veclinux-5.9/patches/kernel/novmsplice-1.0_2.6.22.14-i586-1vl59.tlz
4 • Puppy protected by Buddha (by Lobster on 2008-02-18 12:12:29 GMT from United Kingdom)
Does not apply . . .
Puppy was fixed before the security breach even arrived
http://www.murga-linux.com/puppy/viewtopic.php?p=173550&search_id=1103280960#173550
Though Puppy is run on networks and can be used with passwords for tin-hats
it is generally designed to be used on single desktop machines.
Our main security measure is to welcome all frisky Linux users to use Puppy. White hats, grey hats, black hats, tin hats and ubuntu users
We also employ a Buddha Protection Scheme
http://tmxxine.com/wik/wikka.php?wakka=NewBodhis
Less FUD, more Fun :)
5 • Kevin Carmony (by Jeff Waugh on 2008-02-18 12:27:25 GMT from Australia)
Note that Kevin Carmony has not "joined Ubuntu" (which could mean Canonical), he just announced that he was using it.
6 • One more about Arch (by KimTjik on 2008-02-18 12:28:31 GMT from Sweden)
It looks like some assumptions are done in this article without real knowledge about how the community and forum works.
The first main subject in the Arch forum is: " Announcements, Package and Security Advisories". Why do you then indicate that developers don't think such fixes are important?
The fixed kernel was released the 10th of Februari with an announcement in the above mentioned thread. Some hours after that you could read in this post:
"Attention!
kernel26-2.6.24.1-2 package includes an important security fix (local user privilege escalation).
Everyone is encouraged to upgrade, especially on a system with ssh accounts.
Last edited by ise (2008-02-11 06:45:34)"
So, to make it really clear that this update was important for security you see "Attention!" here, and the time stamp is early in the morning of the 11th of Februari.
The kernel was according to pacman built "sön 10 feb 2008 16.24.00".
The article seems to be too hastily put together.
7 • Gentoo's security advisory for the vmsplice() vulnerability (by Mark Kowarsky on 2008-02-18 12:31:34 GMT from Australia)
Just a heads up that gentoo-sources-2.6.{23-r8,24-r2} were added to the tree with the fix for the vmsplice() vulnerability on Mon Feb 11 00:04:10/00:05:48 2008 UTC.
As mentioned in http://www.gentoo.org/news/20080213-vmsplice.xml "Gentoo isn't releasing GLSAs for kernels because of the huge amount of work to track them for all 18 of our available kernel sources and versions within each of those. If you'd like to help change this by contributing, contact our security team."
8 • Kernel Security (by Chris Hildebrandt on 2008-02-18 12:34:50 GMT from Austria)
The vulnerability mentioned is one of the reasons why sidux provides it's own kernels, patched directly from the official vanilla kernel. That way the sidux kernel team had it's patched kernels for i386 and amd64 ready in the repos before mother Debian had published DSA 1494-1: http://sidux.com/PNphpBB2-viewtopic-t-8828.html at February 10th
Greetings,
Chris
9 • gentoo also! (by Stefan on 2008-02-18 12:42:00 GMT from Germany)
Gentoo patched it also as it might be seen on the main gentoo.org page. The note on gentoo.org has 13th as date.Its written there:
"gentoo-sources-2.6.23-r8 and gentoo-sources-2.6.24-r2 were added to the tree Monday and include fixes for both issues. Install the latest gentoo-sources as quickly as possible. " which means that the issue was fixed on the 11th as well...
10 • RE: 6 One more about Arch (by ladislav on 2008-02-18 13:08:42 GMT from Taiwan)
OK, my mistake, I didn't see the forum post.
Still, a random developer's post on a forum is not quite the same as GPG-signed, detailed advisory published on a mailing list dedicated to security. Arch has a mailing list already - why can't they just add another one?
The point here is that a user shouldn't have to LOOK for security advisories, they should be delivered to the user via mailing lists or RSS feeds. The Arch way is not right - what if I don't visit their forum or if I only visit once a month? Then I am excluded from finding out about any security problems.
Some distributions do this right, some don't. Those that don't should consider fixing it. That's the point of the story.
11 • another one about Archlinux (by dolby at 2008-02-18 13:14:58 GMT from Greece)
So, if Debian developers patched the kernel on 2008-02-11 13:58 and you count that as +0 hours can anyone tell me how many hours minus point zero the Archlinux developers patched theirs if they did it on Sun Feb 10 15:02:39 2008 UTC ? I am not good at math :/
12 • answ 11 :NaN: Not a Number (by dbrion on 2008-02-18 13:23:07 GMT from France)
You ask to substract the time Debian *announced* a bug fix (parts of it were already fixed, parts of it were not) from a time of an *unexisting (on a formal way/channel, at least)announce*.
13 • RE: 11 another one about Archlinux (by ladislav on 2008-02-18 13:26:42 GMT from Taiwan)
No, the table doesn't show when Debian patched their kernels. It lists the times of publication of official security advisories.
14 • Wesnoth (by Elven on 2008-02-18 13:28:25 GMT from Slovakia)
users, who like to download the wesnoth live CD: our (only) mirror was overrun, please use bittorent.
more info: http://greenie.sk/downloads/wesnoth.html
Thanks
15 • none of them so bad (by NK on 2008-02-18 13:29:51 GMT from United States)
While It did take 1-2 days to get most distros patched, It *still* beats having to wait a month for "patch tuesday."
16 • If the security guy said... (by FM on 2008-02-18 13:41:07 GMT from United Kingdom)
Personally you would of had to live in a bubble to miss it. Next had a security guy said well the distro hadn't released a security notice it would hardly of been an excuse would it.
The real one is how quickly did the security sites report this back not distro. Personally do I give a damn how quick or even whether I get a security notice.
Its how quick did it get fixed.
17 • Kevin Carmoney, CNR likely to fail (by gabbman on 2008-02-18 13:41:56 GMT from Canada)
Why has it taken him so long to learn what 95% of the world knew 5 years ago.
18 • Releases (by Christoffer Brodd-Reijer on 2008-02-18 13:43:23 GMT from Sweden)
Maybe a little OT but is there a way to get all this "Summary of expected upcoming releases" in iCal format or anything similar so that I can import it into my Google Calendar?
19 • Wesnoth (by Elven on 2008-02-18 13:43:44 GMT from Slovakia)
it looks that Ladislav fix it, many thanks :)
20 • Kevin Carmoney, CNR likely to fail (by Jimbo on 2008-02-18 13:53:53 GMT from United Kingdom)
CNR is a very good concept, the problem is Linspire is in charge of it.
21 • good article on vmsplice vulnerability (by Andrea on 2008-02-18 13:57:01 GMT from Italy)
Debian really nailed it this time. I patched my debian server and had to wait a while for my ubuntu machines...
22 • Security Mailing Lists & Bugtrackers (by Chris Hildebrandt on 2008-02-18 14:02:42 GMT from Austria)
"The point here is that a user shouldn't have to LOOK for security advisories, they should be delivered to the user via mailing lists or RSS feeds."
@ Ladislav: I fully agree with you that people definitely should not need to look for security, but instead the security related stuff should be pushed to them.
However, please accept that there are different ways of pushing (and mailing lists/RSS feeds are just semi-push). Several distributions use tools for automated upgrade warnings, others use RSS feeds created from their forums, again others integrate cron scripts pulling & pushing the warnings and upgrades. Again another distribution might create scripted warning popups via IRC bouncers (never seen that, just to give another wild additional example.
The tools used depend very much on the culture and the preferred and well known information channels a distribution is using. Mailing lists are mostly used and read by developers themselves and server admins, while an average desktop user might just very rarely be reading them. RSS feeds are fine, but also often crowded at the client side.
All auto-update notifier applications a great - as long as they are installed and activated at the user side. Sticky forums are wonderful - for the people who visit the forums often.
My point is, getting desktop machines as secure as possible is not an easy task - and is definitely not done with dedicated security bulletins via mailing lists. It is done by knowing and understanding the user base, and pushing information and fixes to them via the channels that are best working for them. We might even call them by phone some day - why not.
Besides that, thanks for the interesting article - and thanks for putting a very important topic up to discussion.
Greetings,
Chris
23 • No subject (by Anonymous on 2008-02-18 14:11:13 GMT from United States)
Thanks for fixing the statement about Arch. I do not completely agree with your argument that there needs to be security postings in Arch, however, as the nature of the distro is that you should always be updating to the latest versions, or not use Arch. If you do not regularly update with Arch you will quickly have a broken system so there is no motivation to encourage users to do certain upgrades. With other distros this is often not the case.
And, just to clarify, if you are using Debian on the desktop, you need to be careful. Only kernel 2.6.18 was fixed with that security update. The vast majority of desktop Debian users I know run testing and a few run unstable. This announcement did not apply to them; I do not know when or if the issue has been addressed.
If you use Debian testing or unstable, here is relevant info from their homepage. While it is tempting to use software that is not badly out of date you have to realize what you are sacrificing (perhaps you do not care about security, in which case it is not a big sacrifice).
Q: How is security handled for unstable?
A: The short answer is: it's not. Unstable is a rapidly moving target and the security team does not have the resources needed to properly support it. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable.
Q: How is security handled for testing?
A: If you want to have a secure (and stable) server you are strongly encouraged to stay with stable. However, there is some limited security support for testing: The Debian testing security team handles unembargoed issues for testing....
24 • DREAMLINUX SCREENSHOTS + security advisories (by moondowner on 2008-02-18 14:12:44 GMT from Macedonia)
"Nowadays, many popular distributions don't publish security advisories."
True, PCLinuxOS, Mint, and all of the forked distributions depend on the distro they are based, so, they wait for them to fix the problem. If someone wants security, fast updates, and security advisories, I think the best choice is to try a distro which has commercial support, as Fedora, openSUSE or Ubuntu.
"Many DistroWatch readers run a Linux distribution that does not appear in the above table."
Maybe true, but when I see the Page Hits per Day table, that number of readers is not so big afrer all. And, besides, it's the readers opinion and choice to decide which Linux distro to use. They are not forced to use a specific one.
That's why i always like openSUSE, it has professional support, if you want one :)
Now, something off topic, here are some screenshots I took of DreamLinux (a distro which made a good move by moving to Debian base) so here are screens of the GNOME and XFCE desktop.
http://mklinuxos.blogspot.com/2008/02/dreamlinux-30-beta-3-screenshots.html
25 • Addition to 23 (by Anonymous on 2008-02-18 14:18:19 GMT from United States)
Just as an example, I wondered why my Debian testing box still had Iceweasel 2.0.0.11 quite a while after 2.0.0.12 was released. A little investigation revealed that 2.0.0.12 was in the repos for stable, but testing was still at 2.0.0.11.
If security is a concern, you should either use stable or a different distro. I am not attacking Debian, just clarifying, because some users might get the wrong impression from the article.
26 • RE 24 (by dbrion on 2008-02-18 14:29:36 GMT from France)
", but when I see the Page Hits per Day table, that number of readers "(of DW)" is not so big afrer all."
The Page hits per Day is not linked with the number of readers of DWW, neither with the number of users of DW well cared tables.
Often , I never click on any distr (if I get curious about Dreamlinux; I will click on it; if I want to know about a package, the fastest way is to select a distr at random, and fetch the link to the package; if I were a fanboy of demagogic distributions, I would cli-cli on them until I break my mouse....).
Anyway, the number of readers might be 10 or 20 times the number of rat-hitters..
The link between quality and having commercial parts (thence professional support) is in
contradiction
with the mere existence of Debian....: there exist professional who are generous enough to share parts of their knowledge and experience in software management, during their free time (FYI, my main linux at work is a RedHat clone, WhiteBox; I am not too biased towards Debian)....
27 • Mint Safe From Vulnerability???? (by Anonymous on 2008-02-18 14:44:48 GMT from United Kingdom)
Yes you can get the patch for the recent security update via Mint Update but only if you have level 5 enabled, which in default it is not. This is from there recent newsletter "Major Linux security hole found [5] This does not affect Mint though. The whole is there from kernel 2.6.17 all the way up to 2.6.24.1. It can however only be exploited from 2.6.23 onwards and Mint has 2.6.22. More here" Also there's been no major announcement on their forums, So how safe are they????? Because surely most Mint users who don't check out other Linux Sites know this Vulnerability exists.
28 • @ 24 (by kdulcimer on 2008-02-18 14:51:47 GMT from United States)
"PCLinuxOS, Mint, and all of the forked distributions depend on the distro they are based, so, they wait for them to fix the problem."
True for Mint, not true for PCLinuxOS. Whereas Mint uses an Ubuntu kernel, PCLinuxOS does not use a Mandriva kernel.
29 • Re: 10 (by Dima on 2008-02-18 14:57:11 GMT from Israel)
Actually, Ladislav, you wouldn't have had to visit the forum in order to receive the fix. A simple 'pacman -Syu' would have installed the kernel26-2.6.24.1-2 package, which already includes the patch. And as any Arch Linux user will tell you, 'pacman -Syu' is ran pretty much every day by them. Despite not having a security mailing list, or security advisories on the website, Arch packages are updated very fast by the package maintainers, in case of a security issue. It's not ideal maybe, but it works.
Anyway, thanks for another great DistroWatch Weekly :)
30 • RE: 23 (by debianista on 2008-02-18 14:59:30 GMT from Finland)
"And, just to clarify, if you are using Debian on the desktop, you need to be careful. Only kernel 2.6.18 was fixed with that security update. The vast majority of desktop Debian users I know run testing and a few run unstable. This announcement did not apply to them; I do not know when or if the issue has been addressed."
I use Debian Testing on the desktop and I installed recently a new kernel as a security update. Here's what the change log says:
"linux-2.6 (2.6.22-6.lenny1) testing-security; urgency=high
* bugfix/vmsplice-security.patch
[SECURITY] Fix missing access check in vmsplice.
See CVE-2008-0600
-- Stefan Fritsch Sun, 10 Feb 2008 19:00:56 +0100"
So it looks like the Debian testing security team is doing a good job. :-)
31 • IMHO, 2 (maybe 3) things should happen (by IMQ on 2008-02-18 15:05:36 GMT from United States)
1. There should be an announcement on the homepage of the distro letting the users know that they are aware of the problem
2. When the users can expect to get the update
3. In-the-mean-time work around (if any)
It could be something as simple as, for example:
1. Have no fear, we are fully aware of the freaking problem with (fill in the blank the name of the monster that keeps you up at night)
2. Just so you know, we are kicking our asses right at this minute to get the update for you as soon as humanly possible (we are humans, but you now that, right?)
3. Until then, please cover your ass by doing this work around
The users who learns of the problem from somewhere else will feel much better when they rush over to their favorite distro's homepage and see the above announcement. No doubt, they'll be all thinking, "Damn, my favorite distro is kicking ass". With a smile (or is it a grin) on their faces.
32 • Arch Linux correction (by Filip on 2008-02-18 15:08:02 GMT from United States)
Thanks for the correction about Arch Linux in the featured story... However, I think it would be only fair to also add Arch Linux to the table that lists distros and the delay before the update, considering that Arch Linux team was *one of the first distros* to fix the issue for their users. The date you give in the correction (Feb 10), as much as it pains me to admit it, is probably too optimistic though -- my guess is that the original post from Feb 10 was edited (the edit date is 2008-02-11 00:45:34) to include the information about the vulnerability and the fix for it.
33 • Debian Branches (by dooooo on 2008-02-18 15:09:43 GMT from Jordan)
Using Debian testing is definitely a bad idea . If you're looking for an up-to-date system , You should use sid "unstable" . The testing repo is incomplete and fixes usually take a lot of time before they get ported . This is not the case in sid as It comes with a more complete repo and bugs usually get fixed fast .
I personally use sid . I installed "apt-listbugs" and "apt-listchanges" to avoid buggy updates and to follow all the changelogs .
Vmsplice and Kernel Updates :
I personally use the kernels available at http://kernel-archive.buildserver.net .
I think the update of kernel 2.6.24 was available on the same day of the official 2.6.24.2 release . But I need conformation from someone who is better informed .
34 • More Arch Linux (by Archfan on 2008-02-18 15:41:40 GMT from Peru)
In the main site of Archlinux: http://www.archlinux.org/ you got a topic called Latest News (which can also be received by rss) talking about the new kernel: http://www.archlinux.org/news/383/ as you can see that was published 2008-02-10, so this issue may affect other distros but not Arch. Anyway a simple pacman -Syu as Dima said would give the latest of the latest.
Arch Rocks!!!!:)
35 • RE 26 (by moondowner on 2008-02-18 15:53:34 GMT from Macedonia)
"The Page hits per Day is not linked with the number of readers of DWW, neither with the number of users of DW well cared tables."
I got the point, thanks for pointing it out :)
" ... I never click on any distr ... if I were a fanboy of demagogic distributions, I would cli-cli on them until I break my mouse ... "
I think that I read in a DWW long time ago that the IP's of the 'clickers' are monitored, and by that, I think that It doesn't matter how many times You click, one IP equals one click. Don't get me serious, this is only my speculation, but I think that that is the way it goes.
And another thing, I think that the so called 'fanboys', for whichever distro they are, need an education for how to contribute. Clicking and statistics is no contribution at all. Helping newbies, writing howtos and stuff like that is much more welcome ;)
And I agree with you about Debian.. although I don't use it (I'm stuck with RPM-KDE-Based distros like Mandriva and openSUSE)
36 • Security updates (by Gigi on 2008-02-18 15:57:03 GMT from United States)
Its good to see people rallying around and providing positive feedback around this issue. Also, the speed with which the fixes appeared is commendable.
Ladislav,
Wonderful job of bringing the vulnerability to everyone's notice. Even people who don't read security notices, read distrowatch [that includes me] ;).
I use debian-testing and pretty much do an sudo aptitude upgrade for no reason at all every three-to-four days. It is good to know this was fixed in debian-lenny also. [when the page about testing distribution on debian.org says testing may not receive regular security updates...]
37 • exploitable only > 2.6.23 onwards == poppycock (by Johnny Hughes on 2008-02-18 16:00:39 GMT from United States)
This issue was certainly exploitable on kernels < 2.6.23 ...
I personally tested exploits on 2.6.18-xxx on CentOS, Fedora and RHEL kernels when working this issue for the CentOS Security Team.
Also, I would point out that there were valid patches (and test kernels) available for RHEL and CentOS while the QA process was ongoing for the officially released kernels. Also, it was rated as "important" and not "critical" because it was an escalation of a non privileged account and not a remotely exploitable root issue.
I also absolutely agree that official and totally reproducible mechanisms need to be in place for users to get these security updates. A mechanism that pushes this info to users (who want it) has to be an option, IMHO.
Certainly automatic updates on the client end is a good thing, however, that by itself is not enough. Most system administrators will (and probably should) disable auto updates so they can test how updates will affect their machines ... so they need a way to be told about security issues other than just pushing the updates.
And before anyone asks ... +37 Hours (for CentOS) is only +10 Hours from the release of the official kernel that we could rebuild :-).
38 • No subject (by Anonymous on 2008-02-18 16:07:33 GMT from United States)
Out of curiosity, does anyone have specific examples of how long it takes Microsoft, Apple, or the BSDs to come out with a fix for this type of vulnerability.
Even the 37 hours for CentOS seems fast enough, given that you need to test for an environment like that. With Windows, for instance, the problem would be that they try to be all things to all people with just one version of Windows. I guess that getting such an update out in a week is blazing speed for Windows.
Of course, the baseline should be no vulnerability and zero hours to issue fixes when needed, but I'm curious what users of other OSes deal with.
39 • ArchLinux rules (by GODhack on 2008-02-18 16:26:57 GMT from Lithuania)
!!!!!!!!!!!!!
It fun how ArchLinux was first to update (even faster than Debian), but it was no clear info about update so tons of security n00bs were tricked and wasted their time trying to hack into it. :)
!!!!!!!!!!!!!
Also fun how Gentoo posted almost howto hack into it, but forgot about update. <- it is way of real hacker distro ;)
!!!!!!!!!!!!!
It is fun how distrowatch tries to advertise PCLinuxOS and Ubuntu and Mint as much as possible even if it is needed to lie or hide facts a little. :)
!!!!!!!!!!!!
40 • to 38 (by GODhack on 2008-02-18 16:31:30 GMT from Lithuania)
I agree: when taking about windows security updates there is no reason to count hours at all. It is better to count months. And because of this the most fun thing how MS post very long and very very stupid articles that windows is more secure than Linux in its homepages. :D
41 • No subject (by Tlaloc on 2008-02-18 16:33:19 GMT from Germany)
"The Arch way is not right - what if I don't visit their forum or if I only visit once a month? Then I am excluded from finding out about any security problems."
In fact, Dima got it all right and already explained that. It hurts to see the Arch way being attacked by someone who doesn't understand. Moreover, as an Arch user, I would insist on the point that we don't have any "random devs" - that is a tiny, carefully chosen, entirely trustworthy group of people.
42 • to41 (by GODhack on 2008-02-18 16:42:44 GMT from Lithuania)
"what if I don't visit their forum or if I only visit once a month? Then I am excluded from finding out about any security problems."
NO you just update and thats all. There is no need to know about already fixed problems!
43 • more about security... (by GODhack on 2008-02-18 16:55:38 GMT from Lithuania)
Maybe I post here too much, but I have one more thing to tell...
Lets look back into 1995. It is not hard to gather some news and other info from that time. Then it was widely accepted that the BIGGEST open source disadvantage is that then you have program source it is very easy to find security hole and hack into system. So open source means insecure?
NO as we have more than 10 years of experience we can shout NOoooo..
It looks like paradox at first, but if you think a lot about this fact becomes clear and logic.
Same thing is with Arch way. If you stay 100% up to date it means secure. From fist look this statement look stupid (how you can be sucure if you do not care of your security at all), but then you consider a lot of things it becomes clear that it is natural. And resent experience with kernel updates shows this clearly.
44 • RE 42 : "There is no need to know about already fixed problems!" (by dbrion on 2008-02-18 17:00:34 GMT from France)
But perhaps it would be interesting to know :
* about the consequences (I am almost sure that someone who did not connect his Pc to the wild, wild Internet , or my colleagues, who have a 2.4x kernel, and do not want to upgrade (except for applications they work on) will sleep more deeply and pleasantly than someone who opened his PC as a little server).
* about the origins (do / did they develop too fast?, even if they are very trusthworthy? it took time to detect it kernels -2.6.17 are 12 months old)
45 • Arch mistake again (by Filip on 2008-02-18 17:05:35 GMT from United States)
Ladislav:
---
Quoting from your post (#10): "Still, a random developer's post on a forum is not quite the same as GPG-signed, detailed advisory published on a mailing list dedicated to security. Arch has a mailing list already - why can't they just add another one? The point here is that a user shouldn't have to LOOK for security advisories, they should be delivered to the user via mailing lists or RSS feeds. The Arch way is not right - what if I don't visit their forum or if I only visit once a month? Then I am excluded from finding out about any security problems."
---
The moment it was posted on the forums the information was also posted on the front page in the "Latest News" section (http://www.archlinux.org/news/383/) as well as mailed to the subscribers to the "arch-announce" mailing list -- a low volume mailing list that highlights the most important changes and critical security updates.
Facts:
* Arch was among the first distros, if not the first distro, to provide a working fix for their users;
* The information about the fix was available by means of the news section on the front page, a mailing list, a forum post (and other discussions about this issue);
* The vast majority of Arch users update their systems on regular basis and all those users would have had a fixed version of the kernel on their systems automatically, and in most cases well before other distros you praise actually fixed the issue.
In the light of these facts the fact that you single out Arch Linux, and Arch developers specifically, as an example of incorrect approach to security issues simply doesn't seem right.
I understand the point you are making about the importance of security announcements specifically, and there is a discussion about this issue (prompted by your story) going on on Arch forums at the moment, however if the issue of announcements is what you were trying to communicate by your text then you point with regard to Arch Linux seems to have been delivered rather heavy-handedly.
In spite of the fact that you have corrected (pro forma) the information about Arch in your story, I think that as it is phrased currently your text still creates a (IMO) completely false impression that Arch Linux developers don't consider security seriously enough (as opposed to PCLinuxOS or Mint developers, for example, not to mention Debian and others).
Reagrds,
Filip
46 • Arch (by Eric on 2008-02-18 18:02:53 GMT from Canada)
Yea arch was one of the 1st distros, as i know, the advosory was made at approx 6 am at this post:
http://marc.info/?l=linux-kernel&m=120262352612128&w=2
the fix was out at about 12:30pm(noon):
http://marc.info/?l=linux-kernel&m=120264624000828&w=2
Gentoo's fix was stupid fast:
Sun Feb 10 12:33:15 2008 by dsd
Branch: MAIN
Changes since 1.469: +9 -1 lines
Update to Linux 2.6.23.15 - includes important vmsplice() security fix.
Arch's fix was:
Sun Feb 10 15:02:39 2008 by tpowa
'upgpgk: added fix for root exploit and latest stable patches from greg kroah repository'
Debians:
Mon, 11 Feb 2008 14:58:39
http://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00056.html
So gentoo was 1st by about 3 minutes ;) arch by 3 hours; Which kicks debians by almost 1 whole day ;) Damn ladislav, you and your page ranking words ;)
The ones you bash were actually the MOST secure.
Damnit GODHack #39 was great !!
Enjoy!
47 • The best FS ?? (by dooooo on 2008-02-18 18:27:36 GMT from Jordan)
Off-topic : What is the best File System in terms of recovery and self-fixing capabilities ?
A lot of comparisons focus on speed and performance .
48 • Filesystem reliability (by Eric on 2008-02-18 18:52:44 GMT from Canada)
The most reliable filesystem is a self check-summing and auto recovery based on those check-sums, ZFS would naturally be the best candidate in current history, but it will be limited to Solaris & FreeBSD and only through FUSE ala ntfs-3g for NTFS filesystems, but all the speed is gone.
I personally prefer FreeBSD anyway, i do not use ZFS though from lack of truly sufficient memory that ZFS requires to be stable, also ZFS SHOULD in all recommendation be run ONLY on a 64 Bit system.
http://en.wikipedia.org/wiki/Comparison_of_file_systems
Any ECC/Check-summed filesystem is what you want #47.
Have fun ;)
49 • Linux Mint (by Clem on 2008-02-18 18:55:59 GMT from Ireland)
Hi,
Just a precision about Linux Mint. Kernel related updates are usually given a level 5. However, due to the severity of the issue the specific versions fixing this security hole were given a level 3.
Thanks,
Clem.
50 • Wesnoth (by tdatb on 2008-02-18 18:58:36 GMT from United States)
The torrent has no tracker, it merely says "Elven" where the tracker address is supposed to be. Furthermore, DHT finds only 5 peers and all have only 0.1%. The link Elven put in his post is broken; it only takes you to the homepage.
51 • KISS (by Daniel on 2008-02-18 19:11:44 GMT from Germany)
KISS = Keep It Simple, Stupid ! (part of the Arch Way)
While you were reading your Security advisories (which desktop users normally don't), I had a secure Kernel already.
52 • Time scales and banks (by dbrion on 2008-02-18 19:19:05 GMT from France)
Qu 1) How old is a linux-kernel 2.6.17 (in ns, mn .... weeks)
Qu 2) How long does it take to *detect* (not to fix, not to inform about it) a safety issue?
Qu 3) Would your boss/your bank KISS you if you recommanded them a modern linux?
Qu 4), [if one wants to be serious, not to race like horses] : how are such safety issues detected?
53 • VirtualBox to be bought by Sun (by RichardS on 2008-02-18 19:45:12 GMT from United Kingdom)
Quietly, with little publicity, Sun Microsystems has bought Innotek the suppliers of the VirtualBox virtualizer. (Subject to all the usual caveats.)
VirtualBox is very easy to install and use. Version 1.5.4 runs most Linux distros nicely, but without some features such as 3D video.
Let's hope that Sun will continue to develop VirtualBox and to release new OSE versions and full versions which are "free" for personal use.
54 • RE: 52 your making another case than the actual one (by KimTjik on 2008-02-18 21:10:25 GMT from Sweden)
I understand what you try to convey dbrion, but don't forget that Arch doesn't aim at being the system you're now talking about. It's stable indeed, and if it fails it's to my knowledge not the core but those bleeding etch features some of us wants. Still Arch is a very user oriented distribution, and since it very clearly explains that it has a "'do it yourself' approach", you can easily figure out what that means. Banks usually don't like the "do it yourself" approach, do they?
And this is perfectly fine, dbrion. A Linux distributions doesn't have to do exactly what another or 50 other distributions try to do. Some of the distributions you usually mention has another approach and hence fill another need. Why complain?
The article by Ladislav wasn't talking about a specific scenario; the mentioned distributions and wording suggest he's talking about something very far from the banking world.
55 • Big Whoop (by Anonymous on 2008-02-18 22:04:12 GMT from United States)
It was a local exploit not a remote exploit. If someone has access to your computer locally they can simply boot in single user mode and do whatever they want.
56 • DWW and Clarity vs Security (by Landor on 2008-02-18 23:14:00 GMT from Canada)
First I have to thank you for bringing the topic of the security issue to my attention. I haven't been poking around Linux all that much lately. Using it of course, but not reading what's been going on in the community. I'm sure I'm not the only one out of the millions of users who use Linux. So I do appreciate coming here and even if a week old seeing the head's-up for the problem witht he kernel.
That said, I am shocked by the lack of clarity and facts in your article on it. Though it wasn't truly confusing for me, I would wager some might find it so confusing, especially regarding a lot of the comments here, who has done what and what is available.. I know you do have quite a bit to do with your time but I would hope that something as important as this, and the facts regarding how various distributions handled this security issue are researched and verified before releasing that information.
Yes, some did not post alerts, or info regarding an available fix (if they had one) in a timely manner, or at all. Which I understand is the point to the matter. But, although the first time I've seen a slip this bad here, still not really very good reporting when so many corrections had to be done. E-mails to security teams for various distributions, or IRC "may" have reduced or eliminated the number of errors.
Thank you again though for the head's-up. Kernels are going to be compiled on our machines in short order.
Keep your stick on the ice...
Landor
57 • Question: Could a hacker "infiltrate" and abuse a distro? (by PP on 2008-02-18 23:16:52 GMT from United Kingdom)
I would like to see an article discussing the following possibility:
(1) Could a malicious hacker join a distro as a developer and be able to hide his true identity? I reckon it shouldn't be too hard.
(2) Then, over months or a year, gain a position as a "trusted user" or similar.
(3) Build binary packages for some relatively common but not high profile applications, with some of his own code, say a backdoor or similar?
(4) Gain over a few years a set of computers he can control and/or spy on?
Could this be possible? What checks do different distributions make to prevent it from happening? How long could it be going on before someone notices?
Note that many security breaches could probably be easily made to look like "accidents" or "minor incompetence".
I have never seen a good article addressing this possibility, so if you could point me to a link, please do. This is one of the reasons I'm averse to smaller distros.
Am I sensible in my concerns, or paranoid?
58 • 57 (by Anonymous on 2008-02-18 23:26:50 GMT from United States)
You've just made a really strong case against closed software. The Swiftfox browser comes to mind.
I also do not put any faith in small distros or in distros that don't post the full sources (see last week's comments).
I really don't see this happening with a large distro but I suppose it is possible. With large distros there are just too many users who monitor everything, so it wouldn't be easy, for instance, to install a keystroke logger or something like that and get away with it. You would need both the opportunity to add to the code base and to stay anonymous. Those who are at the top are well-known and could easily be caught if they tried some funny business with the big distros.
OTOH we always have that possibility with any OS, so while the risk is much greater when using Windows or a Mac, I think it could happen.
59 • Arch (by afonic on 2008-02-18 23:58:46 GMT from Greece)
I feel Arch should be put right at the top of the table. :)
(yeah I read the correction)
60 • @55 (by Adam Williamson on 2008-02-19 00:35:31 GMT from Canada)
That's not accurate. "Local vulnerability" means that only someone with access to a regular user account on the system can exploit it (it can't be exploited without shell access). That does not mean you need to have *physical* access to the machine. There are many systems which have multiple users who have unprivileged shell accounts on the machine but no *physical* access to the hardware, thus no ability to reboot it to bypass safeguards. These are the systems to which local vulnerabilities are extremely important.
61 • WTF?! (by Eric on 2008-02-19 03:34:17 GMT from Canada)
Anyone not worrying about a magical becoming of the most powerful entity in control of you computer, whether remote or local, is VERY BIG DEAL, those who do now see this as a problem worth tackling the same day are not fit leaders, and are followers of a bad major ass influential company like M$, you worry about your unsafe system and stay in terms with its insecurity and architecture of Swiss cheese. I rather have a proper system where someone cares about not only my safety, but my highly customized and very expensive box which i code on and make a high salary... all from the security and trust I put into my system for reliability.
Any of you who think such a major flaw was nothing, are noobs to our environment and disgraceful to say the least.
62 • 26 • RE 24 (by dbrion) (by Stats on 2008-02-19 03:50:20 GMT from Australia)
26 • RE 24 (by dbrion from France)
", but when I see the Page Hits per Day table, that number of readers "(of DW)" is not so big afrer all."
The Page hits per Day is not linked with the number of readers of DWW, neither with the number of users of DW well cared tables.
Often , I never click on any distr (if I get curious about Dreamlinux; I will click on it; if I want to know about a package, the fastest way is to select a distr at random, and fetch the link to the package; if I were a fanboy of demagogic distributions, I would cli-cli on them until I break my mouse....).
IMHO, most people visiting DW come here for info and visit distro info pages (many also do it for PHR, make their favourite distro go higher in rank!). People like you and I are a minority, we occasionally visit distro pages for info.
Anyway, the number of readers might be 10 or 20 times the number of rat-hitters..
The STATS say you are MISTAKEN in your presumption! Unique IP visitors per day (averaged) for Jan 2008 =29,570!
I will leave it to you (or anyone else interested enough) to add up the "rat-hitters" per day and see how the numbers compare.
63 • Good job Arch! (by Tom at 2008-02-19 05:54:39 GMT from United States)
Just thought I would give kudos to Arch, while the distro is without formal security advisories, their method does have a very good track record, especially for this test (fixed on the 10th!)
64 • Qu 63 Did Arch methodology contribute to any safety issue (by dbrion on 2008-02-19 07:55:41 GMT from France)
discovery?
Within *months* (not nitpicking about minutes, days)?
(and, if arch is aimed at a single user, it is almost irrelevant to quickly correct such a safety issue [once it is known, removing the IT wires is sufficient if no other harm has been done before
--it was zenwalk's point of view- and therefore, to claim loudly they are GREAT).
62 I agree that my numbers are wrong, the main point being there is no connection between voting/curiosity (and one can be curious about two or more distr, which makes adding not relevant) and visiting DW ....
Have a nice year of the Rat.
65 • @57 (by john frey on 2008-02-19 08:26:14 GMT from Canada)
I'd say your scenario is virtually (heh, virtually)... let's say practically impossible. You're a paranoid freak:)
It was tried several years ago. I don't remember the details but I think it was Debian that someone submitted a package for that contained malicious code. It was discovered pretty quick. No, I don't know how long pretty quick is.
66 • LiveCD with Skype (by Mr. Pink on 2008-02-19 08:41:54 GMT from United States)
Does anyone know what livecd distros come with Skype? No substitutes please.
67 • Re:66, Skype on live-cd (by Caraibes on 2008-02-19 10:46:51 GMT from Dominican Republic)
Skype comes on the Mepis live-cd.
68 • @ 65 (by Anonymous on 2008-02-19 13:38:32 GMT from United States)
http://www.c-program.com/kt/reflections-on-trusting.html
Not necessarily impossible when you consider the millions of lines of code that go into the average distro and the relatively small number of people looking at those lines of code.
69 • Wrong About PCLinuxOS Also (by JMiahMan on 2008-02-19 14:50:55 GMT from United States)
Much like Arch you were wrong about PCLinuxOS also that posted the security updates on the forum and also the user and developer mailing lists. You need to watch what you say you're position comes with a lot of responsibility, when you shed negative light on something you need to make sure you're being factual.
Your own quote
"It is better to keep your mouth shut and be thought a fool than to open it and remove all doubt. (Mark Twain)"
70 • Re. 66: Skype on Austrumi (by RichardS on 2008-02-19 15:28:34 GMT from United Kingdom)
Versions of Austrumi, a tiny LiveCD distro which loads itself into RAM, include Skype.
71 • No subject (by Anonymous on 2008-02-19 16:41:32 GMT from France)
Most fuzz came from Arch (Ladislav didn't know what Arch's mailing list and RSS feed consist in, he doesn't seem to understand its user base either), probably because it's the distro he mistakenly hit hardest, but apparently he got several other distros wrong.
For a lack of research. That's perfectly understandable. But if you don't research something seriously, then don't talk about it, or you'll spread FUD involuntarily.
A desire to raise awareness of distros' security procedures is good. But a bad story harms its cause more than it helps it, IMO.
DW is a great ressource and DWW is a very nice effort, so hats down to Ladislav. But in DWW, I'd rather have no story than a poor one. Anyway, thanks for your dedication.
72 • There is a difference between an official announcement and (by dbrion on 2008-02-19 17:15:00 GMT from France)
some posts: just look at @27, demented by @37 (who obviouly knew what he was writing about), then @49 : if tens of distrs do like that (or worse), it is a great source of great confusion and of a lot of half truths....
Official announcements , being more formal, are clearer...
FYI I learneed about this safety isssue by ....Yahoo (and I shrugged it, as I did not know whether Yahoo was already bought by Microsoft -that might have been a joke, as the time to detect it was HUGE!- and because my colleagues have 2.4 kernels) .
The most interesting thing (and many people interested in linux wo not forget it) was the lag between the launch of the safety issue bug and its detection...which makes the race (and the subsequent nitpicking, on an hourly basis) radically stupid and ridiculously simplist.
(oh, my dog has a bigger ear than yours!!)
But I do not protest because Monsieur Bodnar did not quote Yahoo.....
73 • Security (by Landor on 2008-02-19 18:01:36 GMT from Canada)
Errors aside, I hope the one thing that any of the distributions have learned from all of this is to encourage more releasing of anouncements in regard to critical issues. Even if a fix is not present at the time, a head's up would be widely appreciated by their respective userbases.
I ran the openSUSE release with the new KDE4. As some may remember I'm already a long time SUSE fan from way back, and I had to say I did like some of it, though I'm still not happy with the direction KDE4 has gone in.
But also, I've told my son, although it's preference of course, I might find myself migrating to a more resource friendly WM, maybe like Fluxbox, or even Enlightenment. Personally I don't have a worry for resources, but if something is more efficient and be just as pleasing, why not use it and extend the life of your hardware's functionality by doing so.
Keep your stick on the ice...
Landor
74 • Update descriptions (by Airdrik on 2008-02-19 19:17:06 GMT from United States)
One thing that would be nice for the user who is trying to decide if he really needs to update a certain package (because he only connects to the internet on average weekly to do them, and even then bandwidth is limited, so even then updating everything at once isn't really an option) is to have a description of the update (changelog) so the user has an idea as to what has changed, and if he needs or really wants to update the package.
I think I saw something like this once in one machine I was updating, but I don't remember which distribution/updater it was on. I'm currently using PCLOS 2007+Synaptic, and it only gives the description of the package, no update information (which in the case of the kernel...)
On another note, it seems that respins is the trend in distributions right now as a number of major distros (fedora, PCLOS, Ubuntu? Mint?) include tools to remaster/respin your current configuration into a liveCD. It's cool to see things like: Fedora Gnome LiveCD, Fedora KDE Live, Fedora XFCE Live, PCLOS MiniMe, PCLOS Fluxbox, PCLOS Gnome, etc. More Choice! (I like KDE, fluxbox as long as the menus have everything, and enlightenment) Without having to download 5 CDs or 1 DVD in order to get Fedora+KDE running on your machine. Which also lends to the utility of the Custom NimbleX tool to remaster your own liveCD before you even download it.
75 • fedora 8 XFCE (by capricornus on 2008-02-19 20:53:08 GMT from Belgium)
what a dissapointment: fedora 8 XFCE has a difficult initial install, then everything goes smoothly, but it refuses to install CrossOver (xxx.sh file). Another throw away CD. While Mint XFCE does the job. And MEPIS 7.0 gives an outstanding result.
76 • No subject (by matyas on 2008-02-19 21:06:12 GMT from Germany)
Looks like every DWW reader is an Arch user now. :)
77 • #57 WTF (by Anonymous on 2008-02-19 21:35:23 GMT from United States)
I worry about that every time I turn on a MS box. What auto update isn't going to wreck my system from anybody that works for any company that wrote software for my MS box. I'm tired of auto updates mysteroiusly breaking my aplication and the only fix is to buy the update. The MS XP plus pack media edition comes to mind after your year is up you have all the free wallpapers from the MS site on the CD and nothing more. Then SP2 neuters all of your applications that came with the hardware and let your reinstalls last only as long as you are not online.
When they don't want to support a security fix any longer they give your application a "end of life" auto update.
78 • spailling? (by beany on 2008-02-19 23:23:27 GMT from United States)
ooops the "Learn Linux" banner on this website has a typo/misspelling.
I'm not sure how to take it. Is it funny? Embarrassing?
79 • Arch (by liquibyte on 2008-02-20 01:53:03 GMT from United States)
The first thing I do on booting into Arch after I get home from work is update. I'd be willing to bet that most everyone that runs it does the same because that's its greatest strength behind its absolute configurability to be anything and everything you want without assumption.
I build my own systems because I want to and doing so gives me nothing I don't want and everything I do. I watercool because I get perfomance advantages and I llike to tinker. I run Arch because it does all of the things in the previous two sentences. If you're willing to give up some brain sweat equity I guarantee it will be the last distro you burn.
80 • RE: 41 (by ladislav on 2008-02-20 05:33:44 GMT from Taiwan)
as an Arch user, I would insist on the point that we don't have any "random devs" - that is a tiny, carefully chosen, entirely trustworthy group of people.
Ah, of course! That's why they don't bother to GPG sign their posts and that's why Arch doesn't have security advisories or security mailing lists. Now if you also tell me that Arch packages are not digitally signed, I won't be surprised.
Many of you Arch fans seem to get a wrong idea that I wanted to attack your favourite distro. That's not the case at all. I simply wanted to point out an obvious shortcoming of Arch Linux: failing to follow the correct UNIX ways of going about package security.
Now if you tell me that you don't have the manpower for doing it correctly, fine, I can accept it. But if you insist that Arch has the best security update system known to man, then sorry, you are wrong. Of course, you can disagree with me and you are entitled to your opinion, but don't expect any brownie points on that front.
Come on guys, how hard it is to set up a dedicated security mailing list? Or at least a web page exclusively for security updates?
Or do you think that I am completely out of my mind if I expect my distribution to have a security mailing list with digitally signed security notices?
81 • RE: 46 Arch (by ladislav on 2008-02-20 06:03:37 GMT from Taiwan)
So gentoo was 1st by about 3 minutes ;) arch by 3 hours; Which kicks debians by almost 1 whole day
You are comparing apples with cauliflowers. The table in the main story lists the dates and times when a SECURITY ADVISORY was formally published, not when the fix was made. In fact, Debian had a fix ready on 10 Feb 2008 17:37:05 UTC
http://ftp.debian.org/debian/dists/proposed-updates/linux-2.6_2.6.18.dfsg.1-18etch1_i386.changes
So even if Arch was a few hours faster (which is far from certain since you post lists times, but no time zones), it's still guilty of not providing security advisories and security mailing lists.
I only wish that some of you Arch guys who have so much time on your hands to challenge my article also offered your favourite distro help setting up a real UNIX security infrastructure.
82 • 56 • DWW and Clarity vs Security (by ladislav on 2008-02-20 06:49:58 GMT from Taiwan)
still not really very good reporting when so many corrections had to be done
You are right. Things would be a lot easier if all distributions had a proper security infrastructure. Unfortunately, many seem to take extreme pleasure in hiding security information in most unlikely places (Security mailing list? That's sooo nineties!) or they don't bother publishing them at all.
83 • RE: 69 Wrong About PCLinuxOS Also (by ladislav on 2008-02-20 07:21:51 GMT from Taiwan)
Some of you guys either don't get it or just didn't pay enough attention while reading the story.
Does PCLinuxOS have a mailing list dedicated exclusively to security announcements? Does PCLinuxOS have a forum (with RSS feeds) exclusively dedicated to security announcements? Does PCLinuxOS issue digitally signed security advisories? Does PCLinuxOS have a page dedicated to package security? Does PCLinuxOS publish important security announcements on their front page? No, no, no, no and no? Then we have nothing to talk about. Please get back to me when you get at least one positive.
And by the way, where do I find those PCLinuxOS "user and developer mailing lists" you mentioned in your post? I looked hard through the distro's web site, but had no luck. And the link I have on the PCLinuxOS page on DistroWatch no longer works. Thanks.
84 • Your case is switching focus for every added post (by KimTjik on 2008-02-20 12:46:42 GMT from Sweden)
Yes, I use Arch, but Fedora has been and still is the working horse of choice. Arch is my personal favourite though. I just state this to show how biased I am.
"I only wish that some of you Arch guys who have so much time on your hands to challenge my article also offered your favourite distro help setting up a real UNIX security infrastructure."
Reading and analysing your article took a lot longer than posting my observation, since it was such an obvious error. So by that 5 minutes makes me a good candidate for taking up the torch and provide a so called "real UNIX security infrastructure". I'm both joking and not, and unfortunately this post takes longer time because I've digged deep into the exemplary distros you mention.
Your article states:
"Nowadays, many popular distributions don't publish security advisories. This is especially true for community projects and desktop distributions, many of which just don't have the manpower to publish formal announcements. There are even distributions that don't provide updates at all. In an ideal world, all Linux users would run a distro that does have a well-established security infrastructure and would be subscribed to their project's security mailing list, but the real world is different. Still, operating system security is something that no serious project or user should compromise on."
By this you make a distinction between the "ideal" and the "real world". As I understand your point here, maintainers of a distro might have to make the priorities and sacrifice some ideal features. That's fine, and no Arch user here has argued differently. The problem is that you after that choose Arch, as well as others, as an example of distribution that even hasn't updated to a secure kernel. Can't you see why folks rise an eyebrow?
Hence "community projects" are forgiven for not being able to keep up with the colossus in the Linux world. For many users, the ones you seem to address, that's allright, because few wouldn't care about reading lengthy documentation about fixes and vulnerabilities. However if you also claim, and especially when it is proved false, that distro x and y don't even make security updates in due time, yes then you spread insecurity among users, and interested ones might be scared off; scared off party because of a lack of a feature they don't use, and party because the distro has falsely been labelled unsafe.
By the way how easy is it to even find such security documentation among the recommended ones? I looked for options about Fedora, but I have to admit it's a jungle of mailing lists and no straight hint about what to look for, and if it hadn't been for you link I'm not sure I would have found anything. I've installed a lot of Fedora systems, but none of them has so far suggested that I should apply for getting security notifications, or made them pop up somewhere automatically so I really saw that I better update something. Even the link you provide for Fedora will mean nothing to most users. What does a usual Linux end user think when seeing this?:
"vmsplice_to_user() must always check the user pointer and length with access_ok() before copying. Likewise, for the slow path of copy_from_user_mmap_sem() we need to check that we may read from the user region...
Fix vmsplice local root vulnerability..."
The only ones I can image to get anything useful out of that is the developers themselves and some very few advanced users, or some who luckily have read some articles in the subject. My point?
It's very good and should be commended that the bigger distros, which usually also focus on server environments, keep on following a "real UNIX security infrastructure", no doubt about that. If others "community" driven distros don't catch up, or have the manpower for it, or choose to concentrate their focus on making the necessary updates and other things, please don't keep on saying "they're stil guilty of not...", like Linux has become a mandatory arena where everyone has to live up to the holy grale of "real UNIX security infrastructure".
You're doing a good work, Ladislav, and I appreciate it. Leave room though for a diversity of community driven projects, and don't force everyone of those to adopt a policy that's not a universal law. If they don't even care for updating in reasonable time, then we got a case to deal with.
Regards,
KimTjik
85 • 84 Your case is switching focus for every added post (by ladislav on 2008-02-20 13:06:54 GMT from Taiwan)
The problem is that you after that choose Arch, as well as others, as an example of distribution that even hasn't updated to a secure kernel.
That I corrected as soon as I found out that I was wrong. And as I said in an earlier post, I am sorry for the error.
This mistake on my part would have never happened if Arch had a dedicated security mailing list or security info page.
86 • digital signing? (by Anonymous on 2008-02-20 13:21:56 GMT from United States)
Does PCLinuxOS issue digitally signed security advisories?
Digital signing is useless if people can't be bothered to verify the gpg key, how many people actually do that when they run across a gpg signed forum post/email?
87 • No subject (by Anonymous on 2008-02-20 13:32:50 GMT from France)
"What does a usual Linux end user think when seeing this?:
The only ones I can image to get anything useful out of that is the developers themselves and some very few advanced users, or some who luckily have read some articles in the subject. My point?
"
That it is a partial quote, out of the context, getted in perfect "mauvaise foi", by going down Fedoras quotations in order to show how obscure the "naughty, naughty, ooh elitistly nôty Unix world is" and how user friendly the Linux word is :
the main point being that Fedora certified the bug and clearly linked to a solution.... and that users would not have to wait for yahoo! news to be informed (the bug may have some consequences on data going deeper than downloading + copying a new kernel).
FYI : If I wanted to prove that someone is ridiculous, I would not refer to what they quote, but *directly* to what they write....
BTW: how long was a PC, automagically upgraded from a 2.6.16 kernel (say), vulnerable (unless shared on an IT connection with unknown people -exemple : a cybercafé under Linux which is not *yet* bankrupt)?
This is a question potential users may ask themselves.......
88 • 87 subject was (by dbrion on 2008-02-20 13:35:29 GMT from France)
RE 84 : Je vous croyais moins bas.
89 • RE: 86 (by archuser on 2008-02-20 13:56:19 GMT from United Kingdom)
Not that I agree with everything ladislav has said, but when talking about security, it makes sense that GPG keys should be involved. It is almost irrelevant what the pattern of behaviour is for checking GPG keys. The fact is that it is a good practice, if not the best practice for this situation.
90 • Arch Security (by FormerArchUser on 2008-02-20 14:05:00 GMT from United States)
I agree 100% what he wrote about Arch security.
I was Arch user and the security was one of the reasons to quit.
91 • Arch Security2 (by FormerArchUser on 2008-02-20 14:07:13 GMT from United States)
I agree 100% what Ladislav wrote about Arch security.
I was Arch user and the security was one of the reasons to quit. And now talking about minutes who was faster for kernel patch is for kindergarten.
92 • No subject (by Anonymous on 2008-02-20 14:10:27 GMT from United States)
Perhaps the topic of the next DWW should be security? What the good practices are and why?
93 • RE 87 - no need to twist the context... (by KimTjik on 2008-02-20 14:19:48 GMT from Sweden)
... to prove something that I didn't intend to prove.
I've not made any claim what so ever about what is by you described as "'naughty, naughty, ooh elitistly nôty Unix world is' and how user friendly the Linux word is". The partial quote is enough, since I'm referring to an already provided link, and it wasn't with the intention of making Fedora looking bad or elitists.
Obviously you totally ignored that I sincerely wrote: "It's very good and should be commended that the bigger distros, which usually also focus on server environments, keep on following a "real UNIX security infrastructure", no doubt about that", but that part maybe was too boring or uninteresting in your eager to make case.
I'm not trying to "prove that someone is ridiculous", that's just not something I think is constructive, and I dislike such attitudes. Vladislav is by no means "ridiculous" in my eyes. Still I can disagree with him on the matter whether a "real UNIX security infrastructure" is a necessary goal for every community driven distribution mainly used as desktop systems. I do however agree that it's a necessity for distributions aiming at providing secure and stable server solutions.
94 • Concise and definitive answ. to 93 (by dbrion on 2008-02-20 14:28:33 GMT from France)
Alors, pourquoi 3 niveaux de citation?
Et quels efforts pour noyer le poisson (on descend 3 niveaux de citation pour rendre un point de vue risible, et on met des tonnes et des tonnes de baratin bien pensant derriere pour cacher la bassesse de cette "fistrouille").....
Avez vous pensé aux conséquences potentielles de cette bug? Est ce évoqué (autrement que par une demi-ligne) dans les merveilleux fora d"arch
PVI : je commençais à voir avec sympathie Arch: les efforts dérisoires pour cacher pitoyablement un de leur défauts m'obligent à changer d'avis, ce que je n'aime pas du tout....
95 • Another great Mandriva release is coming! (by Killer1987 on 2008-02-20 14:30:49 GMT from Italy)
i tried mandriva 2008.1 beta 2 and, even if it's only an early pre-release, i found it very stable and usable, in plus i noticed all the improvements to the configuring and installing tools... take a look at this distro, it will be awsome : )
if you want know more info there are many here:
http://wiki.mandriva.com/en/2008.1
Regards,
Marcello
96 • RE 94 - It's not about Arch... (by KimTjik on 2008-02-20 14:43:04 GMT from Sweden)
... I'm not specifically speaking about Arch any more. The only reason it appeared as an example in my post # 84 was that it's a part of the article in question. You're free though to continue the discussion about Arch, but without me.
What you choose to do based on the information available is also up to you. If you're happy and satisfied with your distribution of choice, I'm happy for you. If others make 10 or 50 different choices, including our poster "FormerArchUser", that's just as good.
Post 92 includes a good suggestion for a follow up article here on DW. Every distro can improve in many different aspects.
My best wishes!
97 • RE 96 You switch focus, too.... (by dbrion on 2008-02-20 14:56:50 GMT from France)
"Your case is switching focus for every added post (by KimTjik on 2008-02-20 12:46:42 GMT from Sweden"
I agree with some article going deeper than:
oh, new users are so nice: they should not be bored with tesdious, o tedious technical details and there are 50, 100 (50000000) distr whio do it well and should not be blamed for hiding safety issues (there might be cars with a nice air conditioner, comfortable seats and ... no/lousy brakes : if one drives slowly, and if one knows the brakes are broken, it may work.....)
98 • Scientific Linux ... (by Coffee on 2008-02-20 22:10:47 GMT from France)
The release announcment of Scientific Linux 5.1 made me curious to find out more about this distribution. But all I got to see when I clicked their homepage (https://www.scientificlinux.org/) was a warning message of my Opera browser ...
The servers's certificate chain is incomplete and the signer(s) are
not registered. Accept?
The certificate for "(plone3.fnal.gov|www.scientificlinux.org),
plone3.fnal.gov, www.scientificlinux.org" is signed by the unknown
Certificate Authority "Marc Mengel". It is not possible to verify that
this is a valid certificate.
... hmm. Not exactly the kind of first impression I had expected. Does anyone know what this means?
99 • @98 (by Adam Williamson on 2008-02-20 22:31:29 GMT from Canada)
It means their HTTPS certificate is self-signed (by this dude Marc Mengel), and obviously "Marc Mengel" is not listed as a trusted CA by your system.
But you're probably not planning on sending them your credit card details, so it really doesn't matter. Just accept the certificate. Or access the site as http://www.scientificlinux.org/ , no point using HTTPS if no sensitive transactions are happening.
100 • @99 (by Anonymous on 2008-02-20 23:40:10 GMT from France)
Thanks for the explanation.
101 • Security (by Anonymous on 2008-02-21 03:32:52 GMT from United States)
Well, just be glad if you don't use mepis. Those guys finally got a fix yesterday, with no change log or anything. If you read the post, they keep asking if it's the fix or not. Finally one of them has to reasearch the kernel version to find out.. Even patch Tuesday is better than that.
102 • 101 (by Anonymous on 2008-02-21 04:11:23 GMT from United States)
It's just speculation on my part, but from what I have seen recently, I'd say Warren is going to give up on Mepis. It might live on if someone else picks it up, but given the fact that he has been the dominant force in development for so long, I won't be surprised if it folds altogether before the end of the year. One more release and he will announce, "Sorry, while this was fun, it just doesn't fit my schedule anymore. This will be the last release of Mepis. Thank you to everyone for the support over the years."
One example that struck me as odd is that he recently had someone else post a number of things, among them,
"Warren's Work Status
Warren is fine. He's been working some very long hours on project / contract work which is going well. He is also continuing work on development of Mepis whenever he gets a chance."
"Mepis 8
He intends starting dev work on Mepis 8 around April. He's not sure on a release date as it all depends on when Debian's progress with Lenny is completed."
That doesn't much sound like a distro under the same type of development as most other popular distros. If what you say is true, that is consistent with a distro that lacks energy and enthusiasm at the top.
[Note that I have stated clearly that this is speculation. If you are a Mepis fan, I am not claiming Warren actually said that to me.]
103 • No subject (by notarchuser on 2008-02-21 09:51:21 GMT from Ukraine)
> This mistake on my part would have never happened if Arch had a dedicated security mailing list or security info page.
Come on, is that harder to read a news on a main page, or use RSS feed for this?
> Some developers of Arch Linux have previously argued that security announcements are redundant for their distribution as it uses the "rolling package update" mechanism with continuous package updates.
AFAIR they did have some security announcements project lead by one of TUs (Trusted Users), but it turned out to have little interest from users, it seems.
p.s.: I'm not an Arch user at all, using DIY Linux now
104 • re:102 (by Dopher on 2008-02-21 10:55:45 GMT from Belgium)
Trying to spread fud, aren't you?
Even cared to try the latest mepis? I would say it's pretty good. Stable, nice selection of apps. Except for fontrendering it's one of the best distro's around.
Not the kind of distro that seems to fade away into nothing atm. And even if... you can still use it for a long time. When using mepis you got the debian repositories available. Linux is after all linux, and kde is kde. on almost all distro's.
But atm there are no clouds. So don't come up with this fud.
105 • 104 (by Anonymous on 2008-02-21 13:14:02 GMT from United States)
That Warren might quit Mepis has been around for a long time - originating with him, as he has complained about money problems many times. My speculation is that we are getting close to the time that he actually does quit. The post to the Mepis forum and the delay in putting out a new kernel are additional reasons to believe that is the case.
All of which has exactly nothing to with what you wrote as a response to post 102. Maybe you can find someone to translate into your native language.
106 • http://www.scientificlinux.org/ @98/99 (by Antonio on 2008-02-21 13:44:50 GMT from United States)
Cannot view page with firefox either :(
The connection was reset
The connection to the server was reset while the page was loading.
* The site could be temporarily unavailable or too busy. Try again in a few
moments.
* If you are unable to load any pages, check your computer's network
connection.
* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.
107 • Re: 106 (by Anonymous on 2008-02-21 14:06:48 GMT from Switzerland)
I also get this warning about the untrusted signature but I can access to www.scientificlinux.org. Probably you have a network problem!?
108 • Just Retire (by JMiahMan on 2008-02-21 15:06:29 GMT from United States)
@83
Really I would stop and ask myself what good is this site. Especially when you can't admit your wrong. The point wasn't what PCLinuxOS has. In your article you said they didn't inform the community or inform the community in the way you would like. The community is the forum is it not? If you're participating in the community then you're on the forum and can do a search or check the software section, or even ask. Wow what a concept. Check the software section on the forum for any security updates. Do they need a rss feed just because every commercial distro does? Would you like to pay for the network traffic a rss feed generates? Really get a life and do something else ladislav your site has outweighed its usefulness and so have you. You have a counter that means nothing you can't keep distribution information up to date and now you can't even report simple security warnings without putting your own meaningless twist on them.
109 • QU 108 : How can one protest against something meaningless? (by dbrion on 2008-02-21 15:18:04 GMT from France)
"you can't even report simple security warnings without putting your own meaningless twist on them."
PCLOL logics....
110 • Apologies (by JMiahMan on 2008-02-21 16:37:35 GMT from United States)
That wasn't right of me Ladislav you do a play a role and you shouldn't retire (as if you really would). I'm just a little frustrated as to why you think you're the say in how a distribution should be ran. We'll just have to agree to disagree and leave it at that and I'll just have to stay away as to not get inflamed.
111 • 109 (by Anonymous on 2008-02-21 18:59:47 GMT from United States)
I would protest against your statement dbrion but you do make a point .
112 • Re 102 / 105 - Mepis (by Brooko on 2008-02-21 20:08:33 GMT from New Zealand)
Nope - 104 was right ... posting your "opinion" on such a widely read forum as DW with the baseless conjecture that WW may be quitting Mepis development does nothing but raise FUD (fear, uncertainty and doubt) to other potential users.
Now - for anyone really interested - here are some facts. I know because I've been in touch with him regularly.
* Warren is working on things other than Mepis - he needs to live too.
* He's still spending 2-3 hours a day when he can on Mepis
* There are plans afoot for an update of 7 - probably in 2-3 months
* Development of 8 will commence straight after that (Lenny base)
* Community involvement has grown & we now have active development on updating Mepis.org, a Community run repo, a new users manual, unified artwork, etc. It is in fact thriving.
* Judging by the new members on ML (forum), growth in use is also continuing
* Mepis still remains very stable, very usable, and very viable.
All of above are facts.
The combination of Mepis's simplicity & the forum's friendliness and helpfulness still makes it a very good choice for newcomers to Linux as well. Warren has communicated no desire to quit & with the greater focus on community involvement, we see a bright future.
That last bit is my opinion - but it's a conjecture drawn from the facts above - so it's eminently more informed than posts 102 / 105.
I hope this has cleared some misconceptions. We at the Mepis community greatly admire all things the whole Linux community is achieving. If someone wants more info - please just drop us a line and ask in future.
113 • No subject (by Anonymous on 2008-02-21 21:10:59 GMT from Canada)
ladislav - id like to apologize if i may on behalf of the pclinuxos users who arent wanna be members of the dev team or facist moderators. It has been nice the last month without pclos wars and for the person to say the things he did is simply not acceptable to any witted person. I wish these guys would crawl back under their rock - jiahmaman - legend in his own mind - idiot in everyone elses
114 • 112 (by Anonymous on 2008-02-21 21:33:41 GMT from United States)
> All of above are facts.
Which of course confirm the fact that he has rather limited involvement in the distro compared to the involvement of the top developers of other distros.
From a good source, I have learned that Warren is working on things other than Mepis - he needs to live too, and that he's spending 2-3 hours a day when he can on Mepis.
Call it FUD if you want, but it is something potential Mepis users should know. It is dishonest to try to cover up the facts that I have presented. Anyone considering a move to Mepis has to consider the possibility that Warren might leave soon. Anyone considering a distro has to consider the development process. That's true whether or not you are a fan of Mepis and Warren.
This whole thing is being handled very poorly. There should be plans for the distro going forward. Do you really think this would happen with Fedora or Ubuntu or Arch or other popular distros?
115 • 114 (by Brooko on 2008-02-21 22:09:32 GMT from New Zealand)
> Which of course confirm the fact that he has rather limited involvement in the distro compared to the involvement of the top developers of other distros.
Point taken - at the moment Warren is not working full time on Mepis. I stated that clearly as well. But he has given no indication he's stopping development & the increased community involvement is assisting in further development as well.
>It is dishonest to try to cover up the facts that I have presented.
Where did I attempt to cover up? I simply corrected the misinformation and conjecture. Warren continues to develop Mepis - he has not indicated any plans to quit. In fact he's talking with the community on how to go forward.
>This whole thing is being handled very poorly. There should be plans for the distro going forward.
There are plans - I alluded to those. Once roadmap is sorted, announcements will be made.
>Do you really think this would happen with Fedora or Ubuntu or Arch or other popular distros?
Pretty unfair to compare Mepis (one dev + community) to the likes of Ubuntu, Fedora etc. The fact that Mepis is so popular given it's single dev status is a tribute to both WW & the growing community development.
Regardless of what you THINK, Mepis development continues. It's still a great distro to a lot of people. It's still working and going forward. Why are you in a hurry to write it off? If it doesn't meet YOUR requirements fine - it does meet a lot of others. We are happy. Live and let live.
116 • @ 113 (by JMiahMan on 2008-02-21 22:43:11 GMT from United States)
If you actually knew me. One you could spell my nick correct and two you would know I truly don't have a mind to be a legend in. I know I'm a idiot and I've admitted it multiple times. At least I could apologize and admit I was wrong.
117 • No subject (by Anonymous on 2008-02-22 03:20:08 GMT from Canada)
JmiahMan - apolagies also, my post was as reactionary as your first and definately uncalled for , I just feel that Ladislav does more for the community than any of us could wish to do , and your comment drags the pclinuxos community down.
118 • RE 108 There was ONE interesting sentence in your pest. (by dbrion on 2008-02-22 10:04:56 GMT from France)
"Would you like to pay for the network traffic a rss feed generates?"
That was not a bad question, but one can think some users, who have no time to go to fora and use Linux for an Internet café (say : there are other configurations where one is obliged to connect a semi-professional PC to the outer world : [desktops can be used as tiny servers during night: it is at least tempting]) would be glad to receive *only* safety advisories(and not look for them , hidden in a forum) and perhaps ready to PAY for them.... which makes some tedious bureaucracy if a distr decides to SELL safety advisories (they would be used in a semiprofessional way) and to do it on the long term..
119 • About gentoo (by pacho on 2008-02-22 12:41:52 GMT from Spain)
The problem was fixed in gentoo February 11 before 10:30:31 (-3 hours), not 13, you only need to check changelog
Please see
https://bugs.gentoo.org/show_bug.cgi?id=209460#c12
120 • donation nomination (by ray carter at 2008-02-22 23:13:42 GMT from United States)
If you've not alread donated to NimbleX - I would nominate them. The customizable Live CD seems like a thing worth pursuing.
121 • RE 120 : NimbleX has already been donated...... (by dbrion on 2008-02-23 16:28:22 GMT from France)
... and , therefore, it cannot be said it is a bad idea reminding it is a deserving distribution...
From
"http://distrowatch.com/week
ly.php?issue=20080218&mode=61#comments" at the end of DWW section "#
# 2007: GQview ($250), Kaffeine ($250), sidux ($350), CentOS ($400), LyX ($350), VectorLinux ($350), KTorrent ($400), FreeNAS ($350), lighttpd ($400), Damn Small Linux ($350), NimbleX ($450),...."
What is interesting, messeems, with these figures one can find at the end of each months DWW, is the decrease of the part of the applications (2005-2006 :# {9,8}/12; 2007: # 5/12) in favor of distributions [ my counts are inaccurate , due to unclassifiable, categories such as LUG or Unicef, but, anyway, less than 10% donations cannot be simply categorized].
Are applications getting rich? are distributions getting more and more deserving?
122 • Asian language support (by Ivan on 2008-02-25 00:40:35 GMT from Russian Federation)
Your tables include a line "Asian language support". Could you please write soem details: how do you test this?
Thanks for the site!
123 • "Be Thought A Fool" Quote (by Daryl O. on 2008-02-25 03:32:14 GMT from United States)
The attribution to Mark Twain is incorrect. Those words were actually spoken by the 16th president of the United States, Abraham Lincoln (http://books.google.com/books...). I have it, in fact, on a souvenir that I had bought in Springfield, IL when I visited his tomb 14 years ago.
Number of Comments: 123
Display mode: DWW Only • Comments Only • Both DWW and Comments
| | |
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Archives |
| • Issue 1119 (2025-04-28): Ubuntu MATE 25.04, what is missing from Linux, CachyOS ships OCCT, Debian enters soft freeze, Fedora discusses removing X11 session from GNOME, Murena plans business services, NetBSD on a Wii |
| • Issue 1118 (2025-04-21): Fedora 42, strange characters in Vim, Nitrux introduces new package tools, Fedora extends reproducibility efforts, PINE64 updates multiple devices running Debian |
| • Issue 1117 (2025-04-14): Shebang 25.0, EndeavourOS 2025.03.19, running applications from other distros on the desktop, Debian gets APT upgrade, Mint introduces OEM options for LMDE, postmarketOS packages GNOME 48 and COSMIC, Redox testing USB support |
| • Issue 1116 (2025-04-07): The Sense HAT, Android and mobile operating systems, FreeBSD improves on laptops, openSUSE publishes many new updates, Fedora appoints new Project Leader, UBports testing VoLTE |
| • Issue 1115 (2025-03-31): GrapheneOS 2025, the rise of portable package formats, MidnightBSD and openSUSE experiment with new package management features, Plank dock reborn, key infrastructure projects lose funding, postmarketOS to focus on reliability |
| • Issue 1114 (2025-03-24): Bazzite 41, checking which processes are writing to disk, Rocky unveils new Hardened branch, GNOME 48 released, generating images for the Raspberry Pi |
| • Issue 1113 (2025-03-17): MocaccinoOS 1.8.1, how to contribute to open source, Murena extends on-line installer, Garuda tests COSMIC edition, Ubuntu to replace coreutils with Rust alternatives, Chimera Linux drops RISC-V builds |
| • Issue 1112 (2025-03-10): Solus 4.7, distros which work with Secure Boot, UBports publishes bug fix, postmarketOS considers a new name, Debian running on Android |
| • Issue 1111 (2025-03-03): Orbitiny 0.01, the effect of Ubuntu Core Desktop, Gentoo offers disk images, elementary OS invites feature ideas, FreeBSD starts PinePhone Pro port, Mint warns of upcoming Firefox issue |
| • Issue 1110 (2025-02-24): iodeOS 6.0, learning to program, Arch retiring old repositories, openSUSE makes progress on reproducible builds, Fedora is getting more serious about open hardware, Tails changes its install instructions to offer better privacy, Murena's de-Googled tablet goes on sale |
| • Issue 1109 (2025-02-17): Rhino Linux 2025.1, MX Linux 23.5 with Xfce 4.20, replacing X.Org tools with Wayland tools, GhostBSD moving its base to FreeBSD -RELEASE, Redox stabilizes its ABI, UBports testing 24.04, Asahi changing its leadership, OBS in dispute with Fedora |
| • Issue 1108 (2025-02-10): Serpent OS 0.24.6, Aurora, sharing swap between distros, Peppermint tries Void base, GTK removinglegacy technologies, Red Hat plans more AI tools for Fedora, TrueNAS merges its editions |
| • Issue 1107 (2025-02-03): siduction 2024.1.0, timing tasks, Lomiri ported to postmarketOS, Alpine joins Open Collective, a new desktop for Linux called Orbitiny |
| • Issue 1106 (2025-01-27): Adelie Linux 1.0 Beta 6, Pop!_OS 24.04 Alpha 5, detecting whether a process is inside a virtual machine, drawing graphics to NetBSD terminal, Nix ported to FreeBSD, GhostBSD hosting desktop conference |
| • Issue 1105 (2025-01-20): CentOS 10 Stream, old Flatpak bundles in software centres, Haiku ports Iceweasel, Oracle shows off debugging tools, rsync vulnerability patched |
| • Issue 1104 (2025-01-13): DAT Linux 2.0, Silly things to do with a minimal computer, Budgie prepares Wayland only releases, SteamOS coming to third-party devices, Murena upgrades its base |
| • Issue 1103 (2025-01-06): elementary OS 8.0, filtering ads with Pi-hole, Debian testing its installer, Pop!_OS faces delays, Ubuntu Studio upgrades not working, Absolute discontinued |
| • Issue 1102 (2024-12-23): Best distros of 2024, changing a process name, Fedora to expand Btrfs support and releases Asahi Remix 41, openSUSE patches out security sandbox and donations from Bottles while ending support for Leap 15.5 |
| • Issue 1101 (2024-12-16): GhostBSD 24.10.1, sending attachments from the command line, openSUSE shows off GPU assignment tool, UBports publishes security update, Murena launches its first tablet, Xfce 4.20 released |
| • Issue 1100 (2024-12-09): Oreon 9.3, differences in speed, IPFire's new appliance, Fedora Asahi Remix gets new video drivers, openSUSE Leap Micro updated, Redox OS running Redox OS |
| • Issue 1099 (2024-12-02): AnduinOS 1.0.1, measuring RAM usage, SUSE continues rebranding efforts, UBports prepares for next major version, Murena offering non-NFC phone |
| • Issue 1098 (2024-11-25): Linux Lite 7.2, backing up specific folders, Murena and Fairphone partner in fair trade deal, Arch installer gets new text interface, Ubuntu security tool patched |
| • Issue 1097 (2024-11-18): Chimera Linux vs Chimera OS, choosing between AlmaLinux and Debian, Fedora elevates KDE spin to an edition, Fedora previews new installer, KDE testing its own distro, Qubes-style isolation coming to FreeBSD |
| • Issue 1096 (2024-11-11): Bazzite 40, Playtron OS Alpha 1, Tucana Linux 3.1, detecting Screen sessions, Redox imports COSMIC software centre, FreeBSD booting on the PinePhone Pro, LXQt supports Wayland window managers |
| • Issue 1095 (2024-11-04): Fedora 41 Kinoite, transferring applications between computers, openSUSE Tumbleweed receives multiple upgrades, Ubuntu testing compiler optimizations, Mint partners with Framework |
| • Issue 1094 (2024-10-28): DebLight OS 1, backing up crontab, AlmaLinux introduces Litten branch, openSUSE unveils refreshed look, Ubuntu turns 20
| | • Issue 1093 (2024-10-21): Kubuntu 24.10, atomic vs immutable distributions, Debian upgrading Perl packages, UBports adding VoLTE support, Android to gain native GNU/Linux application support |
| • Issue 1092 (2024-10-14): FunOS 24.04.1, a home directory inside a file, work starts of openSUSE Leap 16.0, improvements in Haiku, KDE neon upgrades its base |
| • Issue 1091 (2024-10-07): Redox OS 0.9.0, Unified package management vs universal package formats, Redox begins RISC-V port, Mint polishes interface, Qubes certifies new laptop |
| • Issue 1090 (2024-09-30): Rhino Linux 2024.2, commercial distros with alternative desktops, Valve seeks to improve Wayland performance, HardenedBSD parterns with Protectli, Tails merges with Tor Project, Quantum Leap partners with the FreeBSD Foundation |
| • Issue 1089 (2024-09-23): Expirion 6.0, openKylin 2.0, managing configuration files, the future of Linux development, fixing bugs in Haiku, Slackware packages dracut |
| • Issue 1088 (2024-09-16): PorteuX 1.6, migrating from Windows 10 to which Linux distro, making NetBSD immutable, AlmaLinux offers hardware certification, Mint updates old APT tools |
| • Issue 1087 (2024-09-09): COSMIC desktop, running cron jobs at variable times, UBports highlights new apps, HardenedBSD offers work around for FreeBSD change, Debian considers how to cull old packages, systemd ported to musl |
| • Issue 1086 (2024-09-02): Vanilla OS 2, command line tips for simple tasks, FreeBSD receives investment from STF, openSUSE Tumbleweed update can break network connections, Debian refreshes media |
| • Issue 1085 (2024-08-26): Nobara 40, OpenMandriva 24.07 "ROME", distros which include source code, FreeBSD publishes quarterly report, Microsoft updates breaks Linux in dual-boot environments |
| • Issue 1084 (2024-08-19): Liya 2.0, dual boot with encryption, Haiku introduces performance improvements, Gentoo dropping IA-64, Redcore merges major upgrade |
| • Issue 1083 (2024-08-12): TrueNAS 24.04.2 "SCALE", Linux distros for smartphones, Redox OS introduces web server, PipeWire exposes battery drain on Linux, Canonical updates kernel version policy |
| • Issue 1082 (2024-08-05): Linux Mint 22, taking snapshots of UFS on FreeBSD, openSUSE updates Tumbleweed and Aeon, Debian creates Tiny QA Tasks, Manjaro testing immutable images |
| • Issue 1081 (2024-07-29): SysLinuxOS 12.4, OpenBSD gain hardware acceleration, Slackware changes kernel naming, Mint publishes upgrade instructions |
| • Issue 1080 (2024-07-22): Running GNU/Linux on Android with Andronix, protecting network services, Solus dropping AppArmor and Snap, openSUSE Aeon Desktop gaining full disk encryption, SUSE asks openSUSE to change its branding |
| • Issue 1079 (2024-07-15): Ubuntu Core 24, hiding files on Linux, Fedora dropping X11 packages on Workstation, Red Hat phasing out GRUB, new OpenSSH vulnerability, FreeBSD speeds up release cycle, UBports testing new first-run wizard |
| • Issue 1078 (2024-07-08): Changing init software, server machines running desktop environments, OpenSSH vulnerability patched, Peppermint launches new edition, HardenedBSD updates ports |
| • Issue 1077 (2024-07-01): The Unity and Lomiri interfaces, different distros for different tasks, Ubuntu plans to run Wayland on NVIDIA cards, openSUSE updates Leap Micro, Debian releases refreshed media, UBports gaining contact synchronisation, FreeDOS celebrates its 30th anniversary |
| • Issue 1076 (2024-06-24): openSUSE 15.6, what makes Linux unique, SUSE Liberty Linux to support CentOS Linux 7, SLE receives 19 years of support, openSUSE testing Leap Micro edition |
| • Issue 1075 (2024-06-17): Redox OS, X11 and Wayland on the BSDs, AlmaLinux releases Pi build, Canonical announces RISC-V laptop with Ubuntu, key changes in systemd |
| • Issue 1074 (2024-06-10): Endless OS 6.0.0, distros with init diversity, Mint to filter unverified Flatpaks, Debian adds systemd-boot options, Redox adopts COSMIC desktop, OpenSSH gains new security features |
| • Issue 1073 (2024-06-03): LXQt 2.0.0, an overview of Linux desktop environments, Canonical partners with Milk-V, openSUSE introduces new features in Aeon Desktop, Fedora mirrors see rise in traffic, Wayland adds OpenBSD support |
| • Issue 1072 (2024-05-27): Manjaro 24.0, comparing init software, OpenBSD ports Plasma 6, Arch community debates mirror requirements, ThinOS to upgrade its FreeBSD core |
| • Issue 1071 (2024-05-20): Archcraft 2024.04.06, common command line mistakes, ReactOS imports WINE improvements, Haiku makes adjusting themes easier, NetBSD takes a stand against code generated by chatbots |
| • Issue 1070 (2024-05-13): Damn Small Linux 2024, hiding kernel messages during boot, Red Hat offers AI edition, new web browser for UBports, Fedora Asahi Remix 40 released, Qubes extends support for version 4.1 |
| • Issue 1069 (2024-05-06): Ubuntu 24.04, installing packages in alternative locations, systemd creates sudo alternative, Mint encourages XApps collaboration, FreeBSD publishes quarterly update |
| • Issue 1068 (2024-04-29): Fedora 40, transforming one distro into another, Debian elects new Project Leader, Red Hat extends support cycle, Emmabuntus adds accessibility features, Canonical's new security features |
| • Full list of all issues |
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
| Random Distribution | 
easys GNU/Linux
easys GNU/Linux (previously pocketlinux) was a Slackware-based distribution developed by former developers of the now-discontinued Bonzai Linux. Its main features are a simplified Slackware installer, one application per task, and KDE Light desktop.
Status: Discontinued
|
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
|
• 
• 
• 
• 
• 
• 
• 
