Translation(s): none

This text is not meant for broad publishing. Please do not modify the footnote formating.

(!) ?Discussion


Debian 5.0 Lenny release date

The Release Team [1] has frozen the Testing repository; the focus is now on squashing bugs. At this point, package versions with new functionality or APIs will only be included after careful evaluation.

The bug cleanup effort of all 24 thousand packages can be followed at the dynamic page [0].

An open invitation to the community to help test and debug Lenny was published [3] and a new Bug Sprint is scheduled at the end of October [4] to accelerate the effort.

Eventually, the Release Team, in collaboration with the QA Team [2], may opt for removing some packages for the release.

The release will happen when the Release Team reaches the conclusion that the distribution is stable, with a minimal number of known significant bugs.

What guarantee is there that high-end hardware (SAN, blades, etc) will work flawlessly with Lenny? Are there regression tests?

The Debian distribution tries not to deviate from upstream kernel for such hardware. Regression tests are performed by the driver developers and/or manufacturers, generally speaking, or by hardware software testing companies, like [32][34] or contractors like [33].

Some sites check and/or list compatibility [35][36][38][39] or incompatibility [37].

The Debian Project applies its very best effort to support high-end hardware, but does not guarantee hardware compatibility.

Interaction with the Debian Kernel Team [5] and Debian Installer Team [6] via their discussion lists, providing access to hardware, and even contracting Debian Team members for performing specific tests at a defined schedule and/or requirements, are possible solutions to overcoming hardware driver problems may they arise.

The best window of opportunity for such interaction is at the start of a new release development cycle to the time when the kernel version release freezes.

However, bug reports are welcome at any time.

How can I help improve drivers for high-end hardware?

Test and report any bugs to members of the Debian Kernel Team [5] and the Debian Installer Team [6].

Provide hardware access to Debian Kernel Team [5] and Debian Installer Team [6] members.

Interact with the Teams through their mailing lists.

Contract members and contractors like [33] for specific, scheduled development.

Contact the upstream kernel developers regarding driver development [8] with information, or special arrangements like NDAs for chipset internals.

The Debian Project supports and minimally deviates from the supported drivers [8] in the upstream kernel.

However, since some upstream kernel versions work better with a specific hardware device than others do, feedback is essential to ensure that the kernel we release with supports your hardware specifically.

How much time does Debian take to issue a security update after notification (CVE)?

The Debian Project takes security very seriously, and its Security Team [9] evaluates each security bug report, CVE alert, and confidential direct contact with the Team, assessing the risk and listing the vulnerable packages [10] of each release and version. Depending on the severity and the availability of a suitable solution, and update can be released in as little as 75 minutes [11].

The Debian Project is one of the fastest Linux distributions at releasing security fixes. An example is kernel bug CVE-20008-0600 [12] that took 6 days. The bug that made multiple DNS implementations vulnerable to cache poisoning, VU#800113 [13], CVE-2008-1447 [14], which needed a long vendor articulation [15], was kept confidential until all packages received fixes.

Studies about days-in-risk [17] exposure are uncommon for Debian, but a survey report completed in 2001 [16] shows that 15% of fixes were released at the same day of the bug report, with an average value of 35 days. The survey, updated in 2003, shows an average value of 13.5 days-in-risk, which is significant progress in only 2 years. As the Debian Project grows more popular, this value may drop even lower.

On July 2008, an article [18] compared several important incidents and the days-in-risk for four Linux distributions, where one may see that Debian Project ranks among the first in dealing with security vulnerabilities. A competitive study between the detailed Red Hat report [19] could be done, as the CVE codes are listed, which can be mapped to the DSA codes by an on-line tool [10].

It is important to consider that the simple measure "days-in-risk" [17], without severity and vulnerability exposure analysis applied to a given installed system is not complete.

The Debian GNU/Linux distribution has an extremely powerful and flexible package management system, which allows the system administrator to easily and transparently take care of package dependencies, and configure the system to use the minimum amount of packages necessary for the task, limiting exposure to vulnerabilities.

The flexibility and power of the Debian GNU/Linux package management system gives users the ability to install not only lean server configurations, but fully operational desktop systems, workstations, and more complex systems containing any subset of the 24 thousand pre-compiled binary packages available.

The use of Debian tools like debsecan [20], tiger [21], the listed set at [22], rc-alert [30], and the security tracker [10], help guide the system administrator.

In order to fully benefit from Debian's vast selection of packages, excellent security, and configuration, it is important to exclusively use Debian's own management tools to configure the system.

Even the /etc configuration files manually edited should be informed to the debconf tool, this way keeping the checksum updated and auditable, and allowing controlled upgrades of these files.

Can I maintain and run older packages at new releases? Are there regression tests?

If a package has left the action scope of Debian Security Team it must be maintained by the in-house sysadmins.

The sysadmin group will need to create a security fix backport from the current stable version to the version it intends to keep running.

Then, the adapted older Debian source package needs to be rebuilt at the current stable distribution release, adapting the library dependencies, helpers and toolchain.

The use of the newer toolchain, debhelpers from build-essential [31] and updated libraries, will provide some degree of compatibility with the new release.

Notoriously, the development tools lintian [23][24], debcheck [25][26], piuparts [27][28][29], *help* at identifying conflicts, problems, and non-adherence to Debian Policy in the new environment.

The tools log files must be analyzed, and errors and warnings must be solved carefully.

These tools verify that older Debian source packages have an increased likelihood of divergences and non-compliance with Debian Policy.

In this situation, it may be beneficial to the adaptation porting effort to use the current debian package version for guidance.

As examples, non-compliance with FHS [40] or system runlevels init.d script policy [41] are common.

All these Debian resources and tools aim to verify release integrity and consistency of a release, but do not guarantee complete application functionality, which should have its own regression tests available to the packager and sysadmin.

[0] http://bugs.debian.org/release-critical

[1] http://release.debian.org

[2] http://qa.debian.org

[3] http://lists.debian.org/debian-devel-announce/2008/10/msg00000.html

[4] http://lists.debian.org/debian-devel-announce/2008/10/msg00004.html

[5] http://wiki.debian.org/DebianKernel

[6] http://www.debian.org/devel/debian-installer/

[7] http://release.debian.org/migration/

[8] http://linuxdriverproject.org

[9] http://security.debian.org

[10] http://security-tracker.debian.net/tracker/

[11] http://www.techforce.com.br/index.php/news/linux_blog/debian_75_minutos_para_fechar_bug_seguranca

[12] http://secunia.com/advisories/cve_reference/CVE-2008-0600/

[13] http://www.kb.cert.org/vuls/id/800113

[14] http://security-tracker.debian.net/tracker/CVE-2008-1447

[15] http://www.securityfocus.com/news/11526

[16] http://www.debian.org/News/2004/20040406

[17] http://blogs.csoonline.com/basic_guide_to_days_of_risk

[18] http://lwn.net/Articles/290156/

[19] http://www.redhatmagazine.com/2008/02/26/risk-report-three-years-of-red-hat-enterprise-linux-4/

[20] http://packages.debian.org/lenny/debsecan

[21] http://packages.debian.org/lenny/tiger

[22] http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-tools.en.html

[23] http://packages.debian.org/lintian

[24] http://lintian.debian.org/

[25] http://packages.debian.org/lenny/edos-debcheck

[26] http://qa.debian.org/debcheck.php

[27] http://packages.debian.org/lenny/piuparts

[28] http://wiki.debian.org/piuparts

[29] https://wiki.ubuntu.com/Testing/Automation/Piuparts

[30] http://packages.debian.org/lenny/devscripts

[31] http://packages.debian.org/lenny/build-essential

[32] http://www.linux-tested.com/

[33] http://www.ossystems.com.br

[34] http://www.xtestlabs.com/

[35] http://kmuto.jp/debian/hcl/

[36] http://hardware4linux.info/

[37] http://www.leenooks.com/

[38] http://www.linuxcompatible.org/compatoscat121.html

[39] http://hp.com/go/debian

[40] http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.1

[41] http://www.debian.org/doc/debian-policy/ch-opersys.html#s-sysvinit