Where are all the security updates?

94 replies [Last post]
Legimet
Online
Joined: 12/10/2013

If you look at the Ubuntu security notices for Trusty and Precise, a lot of the updated packages haven't showed up in Trisquel, neither Toutatis nor Belenos. I think the last security update I got was 2 weeks back for openssl. There's also an update from July for Apache which still hasn't showed up in Belenos: http://www.ubuntu.com/usn/usn-2299-1/. I think this is a pretty serious issue.

icaroperseo
Offline
Joined: 08/21/2014

Can someone be so kind as to confirm or refute this? Any notice or something? I also think it is a very sensitive issue.

Thanks in advance...

Kromaz
Offline
Joined: 06/07/2014

I agree security should be #1 priority. Why such a delay with security updates?

Legimet
Online
Joined: 12/10/2013

Still no security updates...

Legimet
Online
Joined: 12/10/2013

There are going to be a lot of changes for Trisquel 7, so we should just wait.
https://trisquel.info/en/issues/12244

icaroperseo
Offline
Joined: 08/21/2014

Great!!!

El sáb, 23 de ago 2014 a las 9:17 , name at domain escribió:
> There are going to be a lot of changes for Trisquel 7, so we should
> just wait.
> https://trisquel.info/en/issues/12244

quantumgravity
Offline
Joined: 04/22/2013

Well, I don't know what's so great about that. The work on a new release should never cause the security updates to dry out for weeks.
Recalling some other major security and privacy flaws of the past (ssh server running, google nameserver used by default) and the fact that we're left in the dark concerning the big anounced speech of ruben once again (we never saw the libre planet speech either and afaik there wasn't even an official statement what went wrong) I get the impression that the developer is massivly overstrained with this project. That's the reason why I hesitate to use trisquel on my "important" computers; I really hope that the situation will improve in the future.

Sim
Sim
Offline
Joined: 09/29/2013

Can I ask you which OS you are using for your "important" computer?

quantumgravity
Offline
Joined: 04/22/2013

I use Debian wheezy with only free repositories enabled.
There is the risk of installing a non-free addon in software like iceweasel, but this can be avoided by checking the license of every addon individually.

I like the idea of trisquel und would love to see the project succeed, but my OS has to be extremly well tested and secure.
For my old laptop it's ok though...

Legimet
Online
Joined: 12/10/2013

It seems that we're left in the dark about almost everything. This new system, including a gitorious instance to help out with development and a community repo (like launchpad ppas I guess) was announced over a year ago. I hope too that this will change with the public dev platform. Right now, I would use Debian on an important computer, even the fsf uses it on their servers.

jxself
Offline
Joined: 09/13/2010

"even the fsf uses it on their servers."

You have information that is a few years out of date. Under RMS's instruction to show more support for FSF-endorsed distros their sysadmins have replaced them with Trisquel. http://www.gnu.org/server/ as just one example.

Kromaz
Offline
Joined: 06/07/2014

From what your saying maybe the FSF should consider staying with Debian on their servers. Only reason I mention this is because of the delays in security updates with Trisquel.

icaroperseo
Offline
Joined: 08/21/2014

With my last comment I tried to give a vote of confidence to the project. On the other hand, I share to a large extent his point of view and concern. Already express my concern and upset about this situation a couple of days on IRC.

I have not migrated to Trisquel yet (I was waiting for the new release) but just like you the problem of security updates it has made me reconsider it (or at least think about it more carefully).

Finally, I'd like to highlight a point that we have in common. Secrecy is not the best decision in a project of this size, the confidence is very easily lost. A timely notice could be a call to action...

Jodiendo
Offline
Joined: 01/09/2013

icaroperseo

Chill man, Ruben is the only soul and responsible for Trisquel 7 DEVELOPMENT and he has no real wing man TO SUPPORT HIM.

Sooner or "LATER", He will send the updates for the new version of trisquel version 7, But in the other hand, all the safety updates for version 6.1 are updated. I personnaly just going to wait, until all the major bugs are squash out. Just be patient my fellow trisquerian. don't lose your good karma.....

quantumgravity
Offline
Joined: 04/22/2013

It's absolutely irrelevant what the reasons for this lack of updates are; they may be completely legitimate but still security is one of the most important aspects of an operating system.

Just because the developer can't do any better at the moment this is no reason for us to accept a vulnerability on our pc's.

Legimet
Online
Joined: 12/10/2013

I'm hoping that the changes will make it easier for others contribute so that Ruben isn't too overstrained, and I agree that security updates are very important, especially for an LTS release which is supposed to be very stable. I'm installing the past few weeks' updates right now, and I hope things will change.

Legimet
Online
Joined: 12/10/2013

The updates for 6.0.1 stopped coming as well. In fact, the Trusty LTS enablement stack kernel is still not updated.

icaroperseo
Offline
Joined: 08/21/2014

Great!!!

El sáb, 23 de ago 2014 a las 9:17 , name at domain escribió:
> There are going to be a lot of changes for Trisquel 7, so we should
> just wait.
> https://trisquel.info/en/issues/12244

Kromaz
Offline
Joined: 06/07/2014

When running any operating system security has to be the top priority then stability. There are no excuses when it comes down to security. Hopefully this is taken seriously and rectified soon.

Legimet
Online
Joined: 12/10/2013

It has been mostly rectified in Trisquel 7 (the packages modified by Trisquel haven't been updated, it seems). I don't know about T6.

Kromaz
Offline
Joined: 06/07/2014

Lets just hope next time it doesn't take weeks to get these security updates.

icaroperseo
Offline
Joined: 08/21/2014

Strongly agree
El 24/08/2014 18:20, <name at domain> escribió:

> When running any operating system security has to be the top priority then
> stability. There are no excuses when it comes down to security. Hopefully
> this is taken serious and rectified soon.
>

Sachin
Offline
Joined: 06/02/2012

I tried downloading the the apache2.2-bin package in Trisquel 6 I
received the version on which the bugs have been fixed

akifo

I am a member!

Offline
Joined: 12/23/2011

Actually, Trisquel 7 is not officially released yet, so only 6.1 should
receive guranteed updates ;)
Let's just wait for release.

On Чт., 2014-08-21 at 18:08 +0200, name at domain wrote:
> If you look at the Ubuntu security notices for Trusty and Precise, a lot of
> the updated packages haven't showed up in Trisquel, neither Toutatis nor
> Belenos. I think the last security update I got was 2 weeks back for openssl.
> There's also an update from July for Apache which still hasn't showed up in
> Belenos: http://www.ubuntu.com/usn/usn-2299-1/. I think this is a pretty
> serious issue.

--
Happy hacking!
Ivan Antipenko aka akfio
www: http://blog.akifo.pw
xmpp: name at domain
social net: http://social.feder8.ru/profile/akifo

Legimet
Online
Joined: 12/10/2013

6.0.1 didn't have updates either for a few weeks.

t3g
t3g
Offline
Joined: 05/15/2011

Inconsistency with releases and package updates doesn't really help to push people to use Trisquel on their servers. Of course the FSF uses it due to being a part of their ideology, but its a hard sell to many people and companies that want some sort of guarantee that this OS will work and be supported.

jxself
Offline
Joined: 09/13/2010

Everyone should be seeing updates and should now be happy. :)

smiley
Offline
Joined: 06/19/2013

I would thought this kind of thing would be scripted to pull down the updates, no?

lembas
Offline
Joined: 05/13/2010

It is but quidam is working on the plumbing.

https://trisquel.info/en/issues/12244

boaz
Offline
Joined: 08/09/2013

Thanks to everyone who works on Trisquel!

Some feedback:

The most important priority for any operating system should be security. I think it's pretty obvious that no one wants their system remotely tampered with by bad people.

If a supported Trisquel release is not getting all the security updates it should, this is very very not good.

Work on new releases should never result in supported existing releases not getting important security updates in a timely manner.

Please don't see this as ungrateful whining by someone who's not working on the project and feels entitled to the work of others. I greatly appreciate the work of anyone who works on any free software project, especially Trisquel.

I have donated money to Trisquel in the past, but more importantly:

If Trisquel is to be promoted to people as a good distribution that they should use, it should be a good distribution that they should use.

A distribution that doesn't reliably get important security updates, is not a good distribution.

Again, everyone who works on this project, thank you for your service! I hope you take my humble feedback in the intended spirit.

Legimet
Online
Joined: 12/10/2013

This is continuing. No security updates for 10 days, I think. See http://www.ubuntu.com/usn/.

Kromaz
Offline
Joined: 06/07/2014

Can more confirm this? I also haven't had any security updates in awhile. Thanks

icaroperseo
Offline
Joined: 08/21/2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just out of curiosity, which version are you using currently?

El 08/09/14 a las 13:38, name at domain escribió:
> Can more confirm this? I also haven't had any security updates in
> awhile. Thanks
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUDfw0AAoJEPFiITbOHxxTfs4P/AnBssztmOAlVig04kLtZfs7
4Zep0BLKGj1mb2/TJm2wCMbDRkbF09MOSeYsvhfIrJNN/IMeXwyKtX59xG4FDGII
gtKTOCCB0uieq5ZBVqhGmmWZ7CEowDCA/xcAlSOjOXrwxRxRZgSdOmLDl/uIHiUi
FMgPeaR2uGZt+f08WDeaP9mf9lxntfMXCIL4vrjzAVjXkZFQH+IM7fg8Iox4Qzco
ehR5wP1c2U5stzIySepd0VuEjuvORAtGv4p6o9vC/oIPF6gw9UGOUwZL5JqX/jLT
4It40jGAObk7n4P/oLNT7ZaJcOETHb0vMStNmWyLMKUkN0G0qM7YfzyKVC6i81CQ
iq7xtR0mSLbPXk9a+EgBV7o3lkZpGxZPnPtZ/5A7EkmwcmWBK8E0fviVRXs0Rivb
c59s+RDcl4OpyL8NOk8iAZEGdS+geDx49TpH0GhCH9dZQhgdz4j6m/Piso2dH7Bh
faaKMCMzOSD8WlSCKEw72TdQjipoov4ftx2WuTwoKAunh/rT6zXj2FgCEnc+R3Ho
XZrGyH/uwl/e785Zv50C1VgEipOj+aOnsf3BVGg7F3Tpt/FuIAJcMf32VvvS36mh
JAwgpdBChXqwXegR3hTw9FQdqJuW2HT07bHsMzC1QITCdytXJNh/fOqIZCrI9s04
IYXMtUzTFwP409VA7utS
=DnAK
-----END PGP SIGNATURE-----

Legimet
Online
Joined: 12/10/2013

It's for both 6 and 7.

Legimet
Online
Joined: 12/10/2013

I reopened the bug.

Mzee
Offline
Joined: 07/10/2013

I also reckon this is a very serious issue.

@Legimet: Which bug did you reopen?

@All: Wouldn't it be an option to script those updates by taking them from the Ubuntu project? Doing these kind of things automatically would help a great deal, don't you think so?

greenman
Offline
Joined: 12/04/2013

@Mzee, this is the bug report: https://trisquel.info/en/issues/12244

Legimet
Online
Joined: 12/10/2013

Ruben said he disabled the automatic taking of updates from Ubuntu in preparation for the new release. Anyway, this is not a reason to completely stop the security updates since he can do it manually.

Mzee
Offline
Joined: 07/10/2013

Thanks for the link. I hope this can be fixed ASAP.

Mzee
Offline
Joined: 07/10/2013

This is a VERY serious issue. Why is there not even an official comment? I feel very uncomfortable recommending Trisquel to anyone at this point if there are no guaranteed security updates.

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

> This is a VERY serious issue. Why is there not even an official
> comment? I feel very uncomfortable recommending Trisquel to anyone at
> this point if there are no guaranteed security updates.

Forum readers, don't let my membership status fool you, this is all
strictly IM-experienced-O only.

I differ. Timeliness of security updates is just one security metric,
it isn't the be all and end all of security. Yes, it's _significant_
that updates have been delayed but the really dangerous part of those
bugs was their lifetime before discovery. Just as with Heartbleed
the prediscovery period is where most of the danger is.

The reality is bug and security patches are just as likley to
introduce additional security and functional bugs as any other new
code. Further a good number of security bugs cover local exploits,
which mostly are a concern for multiuser systems not the average
Trisquel user. Most remote exposures have no known exploits, and many
are avoided when you're in a typical end user 'behind a firewall (home
/public wifi/LAN or GPRS/3/4G environment. Thus unless any of the
outstanding fixes are critical for remote intrusion and have known
exploits[*] many a pro-IT shop would have you wait a lot longer than
Ruben has with these thus far.

So a delay _is_ significant, by all means prompt Ruben again, but as a
general rule a few weeks is not 'VERY serious.' Think of how long it
took websites to roll out the Hearbleed fixes. E.g. it took my bank a
month of auditing to confirm it wasn't using openssl anywhere.

I'll point out Ruben would have the time to handle these manually if
he was working full time on Trisquel as he used to. Therefore the
proper answer to security update concerns is to become an Associate
Member so Trisquel has the money to pay him to do that.

[*] you can check this by looking up the CVEs they fix on the web.

jxself
Offline
Joined: 09/13/2010

"Why is there not even an official comment?"

I think there was - See the bug report.

greenman
Offline
Joined: 12/04/2013

"but the really dangerous part of those bugs was their lifetime before discovery"

No, that gets it backwards. The really dangerous part is when the vulnerability is public and can be exploited by anyone. It is critical that vulnerabilities are patched as soon as they become public.

It's just another example of the project's difficulties in relying on one person. Looking back on the forums, many people have arrived with great enthusiasm and a range of skills, and have offered to help in all sorts of ways, but Ruben usually doesn't respond, seems not to ever read the forums, and rarely responds on IRC.

It's a pity, because Trisquel has great potential, is the Free distribution in the best shape, and could really be a success in spreading Free software. But at the moment, the message is that Free software is lagging behind, is buggy and is insecure.

Until there are others involved in developing the project, or the lead developer is at least heavily invested, Trisquel will continue to be seen as a novelty.

I know some of you do have access to Ruben - he ignores outsiders and has ignored my offers to help in the past, but if you do have contact with Ruben, the most important message I'd give him is that he cannot do everything. He has done great work, and this can be built on to become something the Free software community can be proud of, but by holding onto everything himself he is critically harming the project he loves, and Free software in general.

andrew
Offline
Joined: 04/19/2012

> I know some of you do have access to Ruben - he ignores outsiders
> and has ignored my offers to help in the past, but if you do have
> contact with Ruben, the most important message I'd give him is that
> he cannot do everything.

I'm also a Trisquel "outsider" here.

Regarding security, although I'm not entirely familiar with the process
I doubt Ruben would hand over control of the updates repository to an
outsider.

There are other ways that outsiders can help--check out the issues page
on the website for problems. I'm sure Ruben would accept patches for
those issues.

The best way of getting in contact with Ruben is via the Trisquel IRC
channel on freenode, his username is quidam. Just keep in mind that he's
in the timezone for Spain.

Andrew.

bitbit
Offline
Joined: 10/29/2012

not only Trisquel, he has to manage even icecat as stated in a previous post in this forum.

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

> "but the really dangerous part of those bugs was their lifetime before
> discovery"
>
> No, that gets it backwards. The really dangerous part is when the
> vulnerability is public and can be exploited by anyone. It is critical
> that vulnerabilities are patched as soon as they become public.

I think the brevity of my language has led to us talking at cross
purposes. If I were to expand my original 'prediscovery' statement
with the proviso 'providing you're applying security patches in a
_appropriate_ fashion' I think you'd be in agreement with it.

I'm in full agreement with your statement if e.g. we take the nonsense
documented here:

http://www.cert.org/historical/advisories/ca-2001-02.cfm

Where DNS/BIND vulnerabilities, which are a security exposures against
critical Internet infrastructure, went unpatched by some distributors,
professional sysadmins etc for over a year. Appalling, just as the
current/recent BGP nonsense is/was.

However, in the context of a desktop/laptop user who as per the
default has Update Manager set to check for patches once a week and as
is common puts off applying them in a haphazard fashion, perhaps for
several weeks, until it is 'more convenient.' Then a shortish delay
in shipping ordinary security patches at the distro end while
_significant_ is not grounds for proclaiming the end of the (Trisquel)
world. We have to remember the GNU/Linux distro security patch
process is best in class and providing the delay remains modest and
things like the next Heartbleed don't languish Ruben is still doing a
lot better than many proprietary offerings.

So my message is essentially - read the back of the Hitchhikers' Guide
to the Galaxy (DON'T PANIC). That said, Ruben slipped on security
patch timeliness during Toutatis beta too, so twice is definitely
something which needs publicly addressing with a statement.

> It's just another example of the project's difficulties in relying on
> one person. Looking back on the forums, many people have arrived with
> great enthusiasm and a range of skills, and have offered to help in
> all sorts of ways, but Ruben usually doesn't respond, seems not to
> ever read the forums, and rarely responds on IRC.

IMO much of this is down to what FSF call 'geek culture' (others
mistakenly call it hacker culture). If one reads around a bit, say
some of ESR's essays and package maint-guide, then you'll find that
volunteers are expected to be self motivated thus teach themselves and
keep contributing in the publicised ways until they make quality and
commitment criteria for being accepted as a dev (or whatever). Any
volunteer organisation has to triage out those who say they want to
contribute but don't sustain effort so they're not unecessarily
expending valuable limited resources on them - this is the geek method
for it, which (obviously) works.

Although even by those communication standards Ruben misses somethings
e.g. announcing the change from bazaar to git repos for the package
helpers so people have way to help if they're so inclined. Nor is he
'perfect' or possessed of some all seeing wisdom. From what I can
work out he's relatively recently corrected the classic small business
mistake of assuming customers will just come to you without you doing
anything by issuing press releases and giving talks. However, by
extension many forum critics apportion themselves knowledges and
wisdoms which if they actually had them would best be demonstrated by
coding and submitting patches or similar. Ruben is at least
demonstrating he's learning from his mistakes and doing something
about the matters.

The current security update delays are in fact because he's putting in
the infrastructure to make contributing to the distro easier and more
varied in order to build a community of developers etc. So that issue
is presently being (belatedly) addressed. Given a part time Ruben is
effectively the current limit of Trisquel's resources then something
was bound to give. Plainly the migration to the new system was not as
straightforward as he and Aklis (who was tasked with part of the work)
had planned.

You say:

"But at the moment, the message is that Free software is lagging
behind, is buggy and is insecure."

True and not true. Trisquel has deliberately chosen to be a derivative
of Ubuntu LTSes so it's on a part of the stability axis where 'lagging
behind' is accepted. In many real life use cases this is desirable.
Try Parabola GNU/Linux if you want not lagging (aka bleeding edge).
You'll learn it is as Ruben says the users' blood which is spilled and
it requires you join a cult where maintaining/admining ones computer
is more important than making productive use of it. Also, yes, as yet
there isn't a free software program for everything - just all the
common ones and a large number of others besides.

All software has bugs, they're unavoidable (well short of the
singularity or equivalent software writing AI tech perhaps). Free
software is no more buggy than proprietary software and Trisquel is
for the most part only as buggy as Ubuntu. If a particular bug sticks
in your craw do as I do, code a patch, use it yourself and submit it -
you can't do that with proprietary software. Remember quite a few of
the packages are for pre v1.0 software which is by definition 'use
only if you want to help with bug squashing / new features' because
it's still in development.

As to 'insecure,' there's no such thing as a theoretically secure
computer, although wise opinion has it a dismantled computer which is
never used and is locked in a vault in Fort Knox might qualify. Real
security practice is about balancing a range of factors specific to
the situation at hand. Which Ruben is quite capable of.

Admittedly we're in a period of delayed security patch delivery, but
from this forum how many Trisquel users are complaining of computer
pathogen infections or compromises? Compare this with some
proprietary anti-virus companies' estimates that in the region of 90%
of W$ machines are infected? With Ubuntu's practice of including
proprietary blobs, drivers and other non-free software, even with the
current delay you can't reliably claim 'less secure than upstream' let
alone 'insecure.'

IMO if Ruben is right and this new system helps build a decent dev etc
community then he has the balance about right at a 2/3 week delay for
common or garden lesser security patches given the apparent nature of
the average Trisquel user. If educational and business users et al
feel the need for better than this for the duration of this system
commissioning project then they can club together and stump up the few
K of Euros it will take for him to take bits of unpaid leave from his
day job and process the updates manually.

> Until there are others involved in developing the project, or the lead
> developer is at least heavily invested, Trisquel will continue to be
> seen as a novelty.

I don't see how Ruben living off just a part time job to be free to
develop Trisquel in the rest of the week can be described as anything
other than 'heavily invested.'

>
> I know some of you do have access to Ruben - he ignores outsiders and
> has ignored my offers to help in the past, but if you do have contact
> with Ruben, the most important message I'd give him is that he cannot
> do everything. He has done great work, and this can be built on to
> become something the Free software community can be proud of, but by
> holding onto everything himself he is critically harming the project
> he loves, and Free software in general.

As I've said, these delays are because he's fixing that. But don't
expect at the end of this contributor enablement project for there to
be a meeter and greeter who gives volunteers warm (virtual) hugs and
encouragement - there aren't the people to do it. Few free software
organisations have such resources, and when they have they focus them
on minorities such as women.

Not that I don't have sympathy with wanting that encouragement,
handholding and well just some thanks occasionally. That's why I
gravitate to chatting and answering questions on trisquel-users rather
than handling issues or writing patches. On trisquel-users you get
thanked more often.

I should explain I style myself as a 'disability rocket scientist'
i.e. the 'science' of regaining things others take for granted which
you lost as a result of your disability. Obviously when other
people's molehills are my mountains it's extra hard to keep going
without feedback. So things like a simple thank you are even more
valuable to me than is usual.

Yet based on a handfull of days when I was well enough I was the only
person to submit patches to trisquel-devel in nearly a year. Exhuming
skills I hadn't used in decades and learning the tools in question
almost from scratch in the process. Admittedly, you have to allow
that with over 30 years in computing I've obviously accrued over those
famous 10,000 hours in it and yeah, I've surprised the local medics.
But, still if I can do this, and keep coming back when I'm well
enough, you have to say there are no insurmountable barriers to
volunteering for Trisquel. IMO volunteers who claim to the contrary
are exhibiting what Sartre calls 'bad faith.'

And so if you're concerned about the apparent sole developer situation
(when e.g. Legimet has had patches accepted), these patch delays and
all the other things you've mentioned then either do something more to
help the project (not necessarily a dev) or as I said before pay for
an associate membership so we get more Ruben time. At it's cheapest
membership is the cost of two coffees a month (UK prices). As the
British proverb goes 'an ounce of practice is worth a pound of
theory.'

Jodiendo
Offline
Joined: 01/09/2013

leny2010 said

As the
British proverb goes 'an ounce of practice is worth a pound of
theory.'

American pharase:

Some people like to talk,the talk. Few others will walk the talk....

Mzee
Offline
Joined: 07/10/2013

@leny2010: I would love to answer you myself but basically greenman already wrote everything I wanted to write for me. ;-)

@jxself: The last official comment is almost a month old now.

jxself
Offline
Joined: 09/13/2010

@jxself: The last official comment is almost a month old now.

I don't think anything has changed. :)

Kromaz
Offline
Joined: 06/07/2014

Amazing! Nothing has changed (month later) in terms of security updates. Think about what you said. Makes you wonder...

alimiracle
Offline
Joined: 01/18/2014

greenman you said what I want to say
This is the truth with regret.
I think we should Move to parabola