[Tfug] Debian struggling with security

Thu Jul 7 23:52:46 MST 2005

Quoting Matthew Eskes <meskes at azcomputercentral.com>:
> You know, to be honest I could have said that the security issues with Linux
> and Debian were to be expected. When you think about it, Linux (the Kernel,
> more or less) is really starting to become a big pile of buggy code.

It makes it hard to agree/disagree with you when you don't provide any
specifics.  Since I haven't had any problems, my inclination is to
disagree and educate you.

> Dont
> get me wrong, I like having all the functionality that its now providing
> which really is better than that in the 2.4x line, but I feel that they
> arent taking enough time in bugfixes and they are starting to add new
> features way to fast without fixing any bugs that they may have introduced
> with them ( The infamous w.x.y.z subversioning they now have) and I think
> that its starting to affect the overall quality of the kernel.

How so?  There are several common "kernels" to discuss.  Perhaps the
freedom of choice is becoming too much?  You seem to know that
development is going on in the 2.6.x branch.  Every so often 2.6.x will
slow down and release a milestone like the recent Linus 2.6.12 kernel.
This milestone will be "good enough" for most.  As 2.6.x gets more use,
real bugs with obvious fixes get applied to a 2.6.x.y branch.  By
definition 2.6.x.y will be more "stable" than 2.6.x.  But if you never
come across the 2.6.x.y bug condition, the two kernels will behave
identical for you.

The real point behind all of this is that Linus and other developers
observed 2 things.  First, developers prefer to be on the leading edge
code.  And second, linux distribution vendors run a slew of quality
assurance tests on their packages before releasing them to the masses.

As far as I can tell, solidarity has prevented the 2.6 series from being
broken into a 2.7 development version.  Linus wanted to keep all of the
smartest and most active developers in 2.6 for a while.  More eyes and
experience will get quicker solutions.  Contrast this to 2.4 where
fixes were first written by primary authors against 2.5 and the boring
work of backporting was often left for someone else.  I'm sure that I'm
not alone when I say that 2.4 never felt right to me.

Distribution vendors, especially "enterprise" vendors, put their
reputation and support behind their distro kernel package.  They run
quality assurance tests and apply further stabilization patches against
the vanilla Linus kernel.  General linux wisdom is to run your distro
kernel if you are ever in doubt or if you want the ultimate in
stability.  Since you are bothered by the development and w.x.y.z
kernel versions it doesn't sound like you went this route.

> For those
> reasons alone, I am starting to think more seriously about switching over to
> either Free or OpenBSD since they are known to audit their code to no end. I
> realise that this will not fix all the bugs since there is not one piece of
> bugfree software, but as I like to say, any small advantage I can get I will
> take.

Free and OpenBSD are analogous to running a linux distribution.  BSD has
stable and current (development) versions to choose from just like
debian has stable and unstable options.  Your work patterns and
hardware will best determine if linux or *bsd is better for you.

Brian

The opinions or statements expressed herein are my own and should not be
taken as a position, opinion, or endorsement of the University of
Arizona.