Where are all the security updates?
- Inicie sesión ou rexístrese para enviar comentarios
> greenman you said what I want to say
> This is the truth with regret.
> I think we should Move to parabola
As Ruben indicated the delay is a temporary situation occasioned by
him (and presumably Aklis) commissioning a new system. Thus if you
want you can take temporary measures by reviewing the missing patches'
announcements on ubuntu-security-announce and perhaps look up the CVEs
on cert.org. So e.g. to take the openjdk-jre one, the package isn't
Trisquelised so you could just do a point install by downloading the
Ubuntu package. It'll be exactly the same package when it arrives in
the Trisquel repo. For a typical personal PC/laptop user only the
remote vulnerabilities are of concern. And even then unless you're
using them in an Internet facing situation (e.g. browser, java plugin)
then the risk is significantly mitigated for a typical end user
because they're almost always behind a firewall.
However, the reality is plenty of people ran Debian testing without
security support and not a few longer delays than the current Trisquel
ones for security patches for years without adverse effects.
Yes, it's not a good situation, but as I've said elsewhere - it's not
terrible either - DON'T PANIC.
Where is this new infrastructure Ruben talked about? If people are going to help out, there needs to be some code, but I don't see it.
> Where is this new infrastructure Ruben talked about? If people are
> going to help out, there needs to be some code, but I don't see it.
The bones of it are documented in the now defunct Developer Meeting
IRC logs here
https://trisquel.info/en/wiki/developer-meetings
Given I can only help bits of the time I haven't pestered Ruben for
updates on it since. So e.g. jxself, Thinkpenguin Chris or SirGrant
might well know a lot more about what shape the idea has now. But the
plans were for a tailored gitorious instance and a new separate
community repo. Aklis was tasked with the gitorious instance. So
with the community repos AFAIK you personally wouldn't need to put
your Abrowser KDE mods in a PPA, Trisquel would be capable of hosting
it for you.
I dunno your IT background so the following might be teaching my
grandmother to suck eggs.
To answer your question, where is the code? AFAICT in the process of
commissioning not development. Replacing or adding to a current live
system with a new one based on the final copy of the live data is
always a tricky business no matter how carefully one plans. There's
nearly always a stoppage for final testing and unanticipated stuff
which turns up and takes additional time no matter how careful you are
beforehand. In terms of real life business systems, going live
transferring to a new system like this over only a weekend is really
good work for a whole team at SME size. There'd be a lot more
complaints and fallout if a new system was commissioned and it had
bugs and data errors (e.g. a three week old package repo) which
resulted in a prolonged period of unreliable service. These days
there can't be alphas and betas for an extant distro repo of course.
So contrary to what some people seem to think this delay is probably
proper quality professionalism in the face of very limited 'IT
department' resources.
The official launch date (i.e. when its intended you can use the new
function) and documentation may or may not come at the same time as it
goes live (i.e. when patches start flowing properly again). Depends
how Ruben has it scheduled, it might be a Belenos release date
announcement thing based on his assessment of bangs for the buck for
supporting alpha/beta during Belenos development. So you personally
might have to find him and ask if you want to use it straight away.
But really someone like you should be able to work it out from just
having the relevant hostnames if they're anything like decent web
services.
The above is just from general principles and a bit of published info.
As I say others who, unlike me, are 'in' the team (jxself, aklis,
sirgrant et al) might well know a lot more - it's just that, as I'm
sure you'll agree, getting the system live and testing it is a lot
more important than answering our questions which just slow the
process down if they're involved at all.
Which for the benefit of unhappy onlookers is why Ruben doesn't talk
to us much. It once took me three months to develop an ~8K line
billing system in a language I can mean over 300 lines a day in over
an entire project when it's just me (you would too, it never was worth
spending the time to learn to code VB at full speed so I didn't). The rest of the
time was spent dealing with the boss as he explained his latest great
idea for the system (which was always in the spec I'd given him).
Similarly wanting Ruben to talk to us more and wanting more from the
distro are mutually incompatible, IMO he's doing the right thing
ignoring us.
I really agree with greenman, though I don't know how sensible it is to state criticism here.
In fact, it's rubens project and if he wants to stick with the current state, then so it will be.
Trisquel is right on top of my list of distros with great potential, but it will remain on my experimental pc's until there is a big change in development structure.
I really don't understand many things... if ruben is lacking time, why not drop such tasks like "implement tor features in icecat"? There is the tor browser bundle, so why bothering with something like this while security updates are drying out?
Why giving speeches nobody ever listens to?
And i like the design of trisquel, but I could live with standard gnome-fallback if this creates more space for frequent security updates.
I know some one man-projects when it comes to software.
Normally, the developer is the most active and reachable member of the board.
Maybe I had already become a member if there weren't those doubts... well, let's see what future brings.
Basically, trisquel is just ubuntu with removed packages and a pimped gnome-fallback.
I'm not underestimating this - clearly it's quite a task -, but let's not forget this when talking about workload.
I agree with you, the developer should be reachable and not ignore everyone. This is a free software project, and people should be able to contribute. If you look at trisquel-devel, the last post was in July. I think people have realized that submitting patches is futile because Ruben never looks at them.
> I agree with you, the developer should be reachable and not ignore
> everyone. This is a free software project, and people should be able
> to contribute. If you look at trisquel-devel, the last post was in
> July. I think people have realized that submitting patches is futile
> because Ruben never looks at them.
Hang on, I've had one patch accepted in the past and think I
understand why my few others weren't. Also you've mentioned some of
your patches have been accepted off list. So Ruben does look at them.
Ruben's communications behaviour might well appear lamentable, and there
will be better communicators in the free software world, perhaps many.
But he admitted to missing some patches in the first developer meeting
so he'll have fixed that and the evidence above is he has. So if some
of your patches haven't been accepted - he'll have his reasons.
Just now I got some upgrade for the following packages:
cups cups-bsd cups-client cups-common cups-ppdc ffmpeg gnupg gpgv
libav-tools libavcodec53 libavdevice53 libavfilter2 libavformat53
libavutil51 libcups2 libcupscgi1 libcupsimage2 libcupsmime1 libcupsppdc1
libcurl3 libcurl3-gnutls libgcrypt11 libgudev-1.0-0 liblua5.1-0 libnss3
libnss3-1d libpostproc52 libswscale2 libudev0 linux-generic
linux-headers-generic linux-image-generic qemu qemu-common qemu-kvm
qemu-utils rsyslog udev
I highly doubt that these are all the missing packages but at least it's something.
These updates showed up on my Trisuel 6 too, but it can't download the packages from us.archive.trisquel.info.
I am a member!
I tried an upgrade of Trisquel 7, and apt-get cannot download any
updates from us.archive.trisquel.info (404 not found) on all.
I've filed a bug about the missing updates
> I tried an upgrade of Trisquel 7, and apt-get cannot download any
> updates from us.archive.trisquel.info (404 not found) on all.
>
I'm currently successfully downloading them from
es.archive.trisquel.info . Your problem might well be a mirroring
thing, wait a bit and try again.
I downloaded some of them (Trisquel 7 now). Surely there must be a way to solve these mirroring problems? I've seen it quite a bit in Trisquel but never in other distros.
I use Debian on my ARM boxen and always go for the uk debian.org server because some of the less well known servers can be dodgy like this. By extension a trisquel.info server, such as the one you're having problems with, should not be behaving in this way. But I dunno who the admin for it is. If it's Ruben et al again then it'll get fixed... eventually :-(
-- "This is the truth with regret. I think we should Move to parabola"
I think Trisquel is in the best shape of any of the Free distributions, and I doubt things are any rosier elsewhere. My comments are meant to be help strengthen Trisquel.
-- "I don't see how Ruben living off just a part time job to be free to
develop Trisquel in the rest of the week can be described as anything
other than 'heavily invested.'"
You're right, that was a poor choice of words, and not fair on Ruben, who's been keeping the project going almost single-handedly. The comment was aimed more at his communication. I know that he is busy, and from running my own projects and businesses, I know that being too busy usually means communication falls off the radar. But my feedback to him is that communication can be more important to the health of a project. There have been many skilled people in the past who've been keen to contribute but have left due to these frustrations, and some of them may have helped share some of the workload and add new skills.
-- 'Volunteers are expected to be self motivated thus teach themselves and
keep contributing in the publicised ways until they make quality and
commitment criteria for being accepted as a dev (or whatever). Any
volunteer organisation has to triage out those who say they want to
contribute but don't sustain effort so they're not unecessarily
expending valuable limited resources on them - this is the geek method
for it, which (obviously) works.'
Something which I'm failing at by not having figured out how to properly quote comments in the forum software yet :)
But yes and no. The article http://www.infoworld.com/article/2608819/open-source-software/open-source-software-how-to-crack-an-open-source-community.html sums it up quite well at the end. "But all require effort on both the parts of the community and those seeking admission." Trisquel is an example of a project where I don't see the 'geek method' working. People who do contribute are not acknowledged, whether it's their bug report, forum post or attempt to reach Ruben. These people have made the effort to report a bug, for example, but it sitting ignored for years doesn't lead them to try contribute in other ways. No-one is saying hand over control of the updates repository :)
The point of my comments is to be constructive, and to suggest that those in contact with Ruben point out to him how important these weaknesses in the project are, and that addressing them, while it might be tedious at first, can help to reduce his workload and strengthen the project he's put so much into.
> Something which I'm failing at by not having figured out how to properly quote comments in the forum software yet :)
Just add a ">".
From your first quotation I wasn't the only one to be misled by your
tone.
Agreed. ISTR from around 2013 Trisquel was then 7 or 8 years old. If
it's that old and the actively contributing community is small then
you've got to figure that the 'build a community' mode of some [often
successful] free software projects has not been copied. A more open
communication style has to be part of that method. Ruben as the BDFL
carries the can for this. His narrow communication profile, geek
subculture method or not, is obviously a strong candidate as part of
the problem. Further the bits where he's not best practice geek
method - such as an overlong patch acceptance cycle time make matters
worse when you consider the limits of normal human persistence.
Thing is from what I can workout "the median number of active
contributors to a free software project / initiative is one"[1]
because an awful lot of people are making similar mistakes. Ruben at
least seems to have learnt part of this and be addressing the dev
community matter with infrastructure now. Hopefully he'll move on to
upping his communications game too.
I will observe that many so called 'geek subculture' behaviours are in
fact what any kind of geek will devolve to left to her own devices in
almost any setting. My own Father e.g. was a farmer, a 'farming geek'
and exhibited the same lamentable communication style failings as
Ruben. I know and have known plenty of other non-FLOSS technical geeks
who do/did as well.
In the final analysis free software is but 30 years old, at this stage
we're all pretty much still making it up as we go along. Given Ruben
has had the smarts to keep Trisquel going for this long, I think we
can expect him to work out what the next few steps are and have a good
chance of success.
[1] LibrePlant 2013 IIRC.
I just read that there are some issues with apt (https://lists.debian.org/debian-security-announce/2014/msg00219.html). I really hope that Ruben gets the new infrastructure to work again soon.
Very interesting thread! I agree with you that there are problems with Trisquel security. However, I think there are no reasons to beat a half-dead horse : Trisquel 6 would be outdated very soon. It is much better decision to focus on Trisquel 7 and make sure that all the security bugs will be fixed in time - like this scary Heartbleed-scale bug of bash
Trisquel 6 is based on Ubuntu 12.04 which will be supported until 2017. I don't think Trisquel 6 is going to be outdated anytime soon.
Since our user/developer base is not large, it would be better to spend extra time on improving Trisquel 7 , rather than supporting Trisquel 6. Even if Canonical would decide to support 12.04 till 2022, we do not have to follow their example, because our resources are much smaller than Canonical's
This is an absurd proposal. Trisquel 7 isn't even released yet. Besides this, dropping Trisquel 6 support early would be a betrayal of the users' trust; how can you possibly call Trisquel a stable system if versions of it can have their support dropped on a whim simply because there's a new version available?
Additionally, AFAIK there are also no security updates for Trisquel 7 right now or is the situation different there?
I got updates yesterday on 7, and I got some more updates today, but I still haven't gotten all the security updates.
Hi,
Please can you update about this issues?
Are trisquel upgraded?
Thanks you.
Yes, the updates now seem to be coming on time.
Guys, it has again been a while since Firefox 34 has been released. Furthermore, there are now important Xorg updates which fix several ancient security bugs. I thought there would be an automatic way to integrate updates from Ubuntu directly. Why are those important updates not yet available for Trisquel 7?
Hum... unfortunately not for me. Is there anything wrong with my sources.list?
#deb cdrom:[Trisquel 7.0 _belenos_ - Release amd64 (20141102)]/ belenos main
# Trisquel repositories for supported software and updates
deb http://fr.archive.trisquel.info/trisquel/ belenos main
deb-src http://fr.archive.trisquel.info/trisquel/ belenos main
deb http://fr.archive.trisquel.info/trisquel/ belenos-security main
deb-src http://fr.archive.trisquel.info/trisquel/ belenos-security main
deb http://fr.archive.trisquel.info/trisquel/ belenos-updates main
deb-src http://fr.archive.trisquel.info/trisquel/ belenos-updates main
#deb http://fr.archive.trisquel.info/trisquel/ belenos-backports main
#deb-src http://fr.archive.trisquel.info/trisquel/ belenos-backports main
Thank you very much, oysterboy. Switching to spanish mirrors did the trick indeed. The french mirrors seem to have some issues and it would be great if someone would have a look into this.
Apparently it has already been done: http://trisquel.info/en/issues/12976
Ok, I switched to the Spanish mirrors but once again I didn't get any updates for quite a while now. Anyone having the same problem?
I am a translator!
I experencied the opposite - had to change from spanish to usa serverver to get the updates (108 mb of updates, mainly kernel and abrowser)
Shouldn't my system alert me when there are new updates? I believe Ubuntu does this. However, I don't recall ever seeing a popup dialog box alerting me to new updates. Could there be something not configured on my system to alert me? Not a mjor issue but just curious. Thanks.
I use aptitude if that matters rather than the GUI update managers.
If you're using the standard GNOME edition of Trisquel, there should be a program called "Update Manager" that pops up.
- Inicie sesión ou rexístrese para enviar comentarios