Thursday, May 22, 2008

Stand By Your Debian

The story so far: the Debian distribution of Linux has been having OpenSSL troubles recently, as it came to light that the OS has been using poor random number generation since 2006. When the news became public three weeks ago, it turned out that both Debian and Ubuntu were generating SSL certifications with a random number space of around 32,000 possibilities.

As a result, anyone handing out certs from a Debian or Ubuntu system has spent the past month regenerating and redistributing their entire library of OpenSSL encryption keys. I asked Mark Shuttleworth, founder of Canonical and Ubuntu Linux, if Debian had lost its credibility through this affair. He sent me the following e-mail reply, which I've reprinted in it's entirety:

"It was certainly a very serious security issue, and I understand where your concerns are coming from, but for the record I am still confident that the Debian approach of self-motivated and largely self-selected specialist maintainers results in the best overall quality of packages in something the scale of Ubuntu or Debian. We have no plans to shift to a different model for Ubuntu than collaborating closely with Debian. Of course, we think that Canonical and Ubuntu's process, as an additional layer, does add something, but we consider Debian to be a superb, diligent and effective community with which to collaborate.

If you look at the sequence of events, the Debian maintainer actually took the patch to the designated upstream mailing list, where he got a response from an upstream developers suggesting that the patch was fine. He followed what most folks would consider to be reasonable best practice, and in the final analysis we can't attribute the result to anything other than very a unfortunate combination of errors. The process was not intrinsically broken.

Ubuntu maintainers didn't fix the issue a week before Debian -- we worked with the Debian maintainers and uploaded fixed packages simultaneously in both places. Some process issues on the Debian side held up the fixes there for a little while, but in principle the work was done jointly. As always, Debian maintainers contribute a great and unique depth of expertise.

We are still conducting a review of this failure, so we will probably make some changes. Among other things, we expect to contract or otherwise engage external consultants for regular reviews of security-critical packages in both Debian and Ubuntu. We can help both Debian and Ubuntu achieve an even higher level of security awareness and protection, and we don't see it as something on which we would compete with Debian so much as collaborate. Ubuntu's security track record until this event has been exceptional, and while the Ubuntu team does a tremendous amount of work that is specific to Ubuntu, we also benefit greatly from our collaboration with the huge community of Debian maintainers

-- Alex Handy

No comments: