Debian Security Survey
With regards to your "Debian Security Survey"
Thank you for giving us the opportunity to listen to our feedback on
the issue of security updates for Potato.
We are a small ISP, but we have specialized in setting up and
maintaining e-mail and web-servers for our customers. We currently
have over 70 servers under maintenance running Debian Linux. Of these
10 are running Woody, the rest are still on Potato.
Virtually all of these servers are on remote customer sites. Most of
the Potato servers are on analogue or ISDN dial-up connections. To
upgrade Potato to Woody requires a download of about 100mB - which is
obviously a slow process.
We have quite a lot of carefully configured software on these
servers. Thus we have been moving to Woody quite slowly and
monitoring the systems for quirks in the upgrade process.
When we are happy that we are making the "best use" of Woody we will
start upgrading these servers "on mass". I expect this to be sometime
in January next year. Even then it will take weeks to get them all
upgraded. There may be some that we would prefer not to upgrade at
all due the the nature of the hardware, limited usage etc.
Fortunately all of the dial-up boxes are on dynamic IP's which makes
them far less vulnerable to scanning and intrusion than permanently
In addition we have one system which is running WAN router hardware
as well as a multipoint serial card for remote dial-up access. This
has a customized kernel (ver 2.2.19), customized advanced routing
(using "ip route"), snmp, and a lot of scripts for monitoring and
logging. Of course it is live 24/7 in a production environment.
Upgrading this box is going to be a project all on its own.
We have already completed the upgrade of our main in-house webserver
and mail servers. These were fairly big projects as they have
customized setups, scripting etc. They also host many domains and
many users so we had to devise strategies to complete the upgrades
without causing too much disruption to the customers.
We have had development systems running Woody for a year or more.
I hope the above gives you an idea what the challenges are involved
in upgrading to Woody. I think many other people are faced with
similar tasks. It is important to understand that the slow pace of
the upgrades is often not due to a late start or a lack of interest,
but rather due to a large amount of caution when working with
I would like to see:
- Full security support for Potato for at least another 3 months.
- Limited security support for a longer period. For example it
very nice if Debian Security could make a commitment to release
updates for Potato, for any relevant vulnerability listed in a
(http://www.cert.org) advisory for a period of say 12 months.
The idea is to at least fix remotely exploitable vulnerabilities that
do not require the attacker to have knowledge of a local account
password. I mentioned CERT as they seem to be very conservative. They
do not issue advisories before the exploit has been verified and is
deemed to be a significant risk. Thus many of the DSA's cover
vulnerabilities which do not make it into the CERT lists. Yet a very
large percentage of compromised servers are compromised via
vulnerabilities that have already been published in CERT advisories
at the time of the intrusion. As no new software has been added to
Potato for years the actual number of security releases required to
implement the above should not be all that large.
Potato was the preferred stable version of Debian for a number of
years and there must be a very large number of machines installed
with this version of the distribution. Many of the people who
installed Potato, chose Debian because they were installing it on
publicly accessible production servers. Debian is probably still the
best distribution for a stable secure Linux system. It would be
unfortunate to disappoint those people now.
Ian Forbes ZSD
Office: +27 21 683-1388 Fax: +27 21 674-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa