From: trisq...@greenman.co.za Subject: Re: [Trisquel-users] Where are all the security updates? Date: Fri, 19 Sep 2014 00:27:56 +0200 (CEST)
> "but the really dangerous part of those bugs was their lifetime before > discovery" > > No, that gets it backwards. The really dangerous part is when the > vulnerability is public and can be exploited by anyone. It is critical > that vulnerabilities are patched as soon as they become public. I think the brevity of my language has led to us talking at cross purposes. If I were to expand my original 'prediscovery' statement with the proviso 'providing you're applying security patches in a _appropriate_ fashion' I think you'd be in agreement with it. I'm in full agreement with your statement if e.g. we take the nonsense documented here: http://www.cert.org/historical/advisories/ca-2001-02.cfm Where DNS/BIND vulnerabilities, which are a security exposures against critical Internet infrastructure, went unpatched by some distributors, professional sysadmins etc for over a year. Appalling, just as the current/recent BGP nonsense is/was. However, in the context of a desktop/laptop user who as per the default has Update Manager set to check for patches once a week and as is common puts off applying them in a haphazard fashion, perhaps for several weeks, until it is 'more convenient.' Then a shortish delay in shipping ordinary security patches at the distro end while _significant_ is not grounds for proclaiming the end of the (Trisquel) world. We have to remember the GNU/Linux distro security patch process is best in class and providing the delay remains modest and things like the next Heartbleed don't languish Ruben is still doing a lot better than many proprietary offerings. So my message is essentially - read the back of the Hitchhikers' Guide to the Galaxy (DON'T PANIC). That said, Ruben slipped on security patch timeliness during Toutatis beta too, so twice is definitely something which needs publicly addressing with a statement. > It's just another example of the project's difficulties in relying on > one person. Looking back on the forums, many people have arrived with > great enthusiasm and a range of skills, and have offered to help in > all sorts of ways, but Ruben usually doesn't respond, seems not to > ever read the forums, and rarely responds on IRC. IMO much of this is down to what FSF call 'geek culture' (others mistakenly call it hacker culture). If one reads around a bit, say some of ESR's essays and package maint-guide, then you'll find that volunteers are expected to be self motivated thus teach themselves and keep contributing in the publicised ways until they make quality and commitment criteria for being accepted as a dev (or whatever). Any volunteer organisation has to triage out those who say they want to contribute but don't sustain effort so they're not unecessarily expending valuable limited resources on them - this is the geek method for it, which (obviously) works. Although even by those communication standards Ruben misses somethings e.g. announcing the change from bazaar to git repos for the package helpers so people have way to help if they're so inclined. Nor is he 'perfect' or possessed of some all seeing wisdom. From what I can work out he's relatively recently corrected the classic small business mistake of assuming customers will just come to you without you doing anything by issuing press releases and giving talks. However, by extension many forum critics apportion themselves knowledges and wisdoms which if they actually had them would best be demonstrated by coding and submitting patches or similar. Ruben is at least demonstrating he's learning from his mistakes and doing something about the matters. The current security update delays are in fact because he's putting in the infrastructure to make contributing to the distro easier and more varied in order to build a community of developers etc. So that issue is presently being (belatedly) addressed. Given a part time Ruben is effectively the current limit of Trisquel's resources then something was bound to give. Plainly the migration to the new system was not as straightforward as he and Aklis (who was tasked with part of the work) had planned. You say: "But at the moment, the message is that Free software is lagging behind, is buggy and is insecure." True and not true. Trisquel has deliberately chosen to be a derivative of Ubuntu LTSes so it's on a part of the stability axis where 'lagging behind' is accepted. In many real life use cases this is desirable. Try Parabola GNU/Linux if you want not lagging (aka bleeding edge). You'll learn it is as Ruben says the users' blood which is spilled and it requires you join a cult where maintaining/admining ones computer is more important than making productive use of it. Also, yes, as yet there isn't a free software program for everything - just all the common ones and a large number of others besides. All software has bugs, they're unavoidable (well short of the singularity or equivalent software writing AI tech perhaps). Free software is no more buggy than proprietary software and Trisquel is for the most part only as buggy as Ubuntu. If a particular bug sticks in your craw do as I do, code a patch, use it yourself and submit it - you can't do that with proprietary software. Remember quite a few of the packages are for pre v1.0 software which is by definition 'use only if you want to help with bug squashing / new features' because it's still in development. As to 'insecure,' there's no such thing as a theoretically secure computer, although wise opinion has it a dismantled computer which is never used and is locked in a vault in Fort Knox might qualify. Real security practice is about balancing a range of factors specific to the situation at hand. Which Ruben is quite capable of. Admittedly we're in a period of delayed security patch delivery, but from this forum how many Trisquel users are complaining of computer pathogen infections or compromises? Compare this with some proprietary anti-virus companies' estimates that in the region of 90% of W$ machines are infected? With Ubuntu's practice of including proprietary blobs, drivers and other non-free software, even with the current delay you can't reliably claim 'less secure than upstream' let alone 'insecure.' IMO if Ruben is right and this new system helps build a decent dev etc community then he has the balance about right at a 2/3 week delay for common or garden lesser security patches given the apparent nature of the average Trisquel user. If educational and business users et al feel the need for better than this for the duration of this system commissioning project then they can club together and stump up the few K of Euros it will take for him to take bits of unpaid leave from his day job and process the updates manually. > Until there are others involved in developing the project, or the lead > developer is at least heavily invested, Trisquel will continue to be > seen as a novelty. I don't see how Ruben living off just a part time job to be free to develop Trisquel in the rest of the week can be described as anything other than 'heavily invested.' > > I know some of you do have access to Ruben - he ignores outsiders and > has ignored my offers to help in the past, but if you do have contact > with Ruben, the most important message I'd give him is that he cannot > do everything. He has done great work, and this can be built on to > become something the Free software community can be proud of, but by > holding onto everything himself he is critically harming the project > he loves, and Free software in general. As I've said, these delays are because he's fixing that. But don't expect at the end of this contributor enablement project for there to be a meeter and greeter who gives volunteers warm (virtual) hugs and encouragement - there aren't the people to do it. Few free software organisations have such resources, and when they have they focus them on minorities such as women. Not that I don't have sympathy with wanting that encouragement, handholding and well just some thanks occasionally. That's why I gravitate to chatting and answering questions on trisquel-users rather than handling issues or writing patches. On trisquel-users you get thanked more often. I should explain I style myself as a 'disability rocket scientist' i.e. the 'science' of regaining things others take for granted which you lost as a result of your disability. Obviously when other people's molehills are my mountains it's extra hard to keep going without feedback. So things like a simple thank you are even more valuable to me than is usual. Yet based on a handfull of days when I was well enough I was the only person to submit patches to trisquel-devel in nearly a year. Exhuming skills I hadn't used in decades and learning the tools in question almost from scratch in the process. Admittedly, you have to allow that with over 30 years in computing I've obviously accrued over those famous 10,000 hours in it and yeah, I've surprised the local medics. But, still if I can do this, and keep coming back when I'm well enough, you have to say there are no insurmountable barriers to volunteering for Trisquel. IMO volunteers who claim to the contrary are exhibiting what Sartre calls 'bad faith.' And so if you're concerned about the apparent sole developer situation (when e.g. Legimet has had patches accepted), these patch delays and all the other things you've mentioned then either do something more to help the project (not necessarily a dev) or as I said before pay for an associate membership so we get more Ruben time. At it's cheapest membership is the cost of two coffees a month (UK prices). As the British proverb goes 'an ounce of practice is worth a pound of theory.'