You are not logged in.

#1 2008-02-18 12:47:46

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Distrowatch weekly taking a dig at Arch

Distrowatch Weekly wrote:

The vmsplice() system call... vulnerability was first made public on February 8th. According to the Linux kernel changelog, it was fixed the same day and a new kernel, version 2.6.24.2, was made available on February 11th.

Linux distributions started releasing patches on February 11th, the same day the news became widely known. But how fast were they? ... A number of security advisories were published last week, shortly after the vmsplice() exploit became widely known. Debian GNU/Linux was the first to issue a fix, but within a day or two most major distros followed suit with their own announcements.

Other users might be even less lucky. Some developers of Arch Linux have previously argued that security announcements are redundant for their distribution as it uses the "rolling package update" mechanism with continuous package updates. But a quick look at their core tree reveals that six days after the vmsplice() vulnerability was published, it still only lists the vulnerable 2.6.24.1 kernel.

Any thoughts? I'm not entirely sure what my standpoint is. Security announcements don't mean much to me, but when dealing with security, surely the Kernel should be one of the things one should focus on to keep up to date.


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#2 2008-02-18 12:50:43

bangkok_manouel
Member
From: indicates a starting point
Registered: 2005-02-07
Posts: 1,554

Re: Distrowatch weekly taking a dig at Arch

Announcement on home page + kernel patched on Feb. 10.


All design goals must be phrased in such a way that it is hard to use them as slogans to justify stupidity.

Offline

#3 2008-02-18 12:51:52

xsdnyd
Member
Registered: 2007-04-28
Posts: 110

Re: Distrowatch weekly taking a dig at Arch

am i wrong or is this just incorrect?
the same day i read of this exploit the arch devs already fixed it by releasing a kernel 2.6.24.1-2...

faster than anyone else big_smile


We can't stop here! This is bat country!!

Offline

#4 2008-02-18 12:52:54

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Re: Distrowatch weekly taking a dig at Arch

The announcement refers to "Kernel 2.6.24.1 in Core" which is the kernel version with the vulnerability. The "Attention!" section appears to have been appended at a later date.


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#5 2008-02-18 12:55:01

bangkok_manouel
Member
From: indicates a starting point
Registered: 2005-02-07
Posts: 1,554

Re: Distrowatch weekly taking a dig at Arch

Check out the date, you are safe here...
http://cvs.archlinux.org/cgi-bin/viewcv … 24.2.patch


All design goals must be phrased in such a way that it is hard to use them as slogans to justify stupidity.

Offline

#6 2008-02-18 12:55:14

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Re: Distrowatch weekly taking a dig at Arch

Either that or Distrowatch are amazingly incorrect tongue Maybe someone snuck insane amounts of caffiene into the arch developers' taco's big_smile


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#7 2008-02-18 12:56:11

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,950
Website

Re: Distrowatch weekly taking a dig at Arch

Distrowatch is wrong! We fixed the vmsplice security whole at Sun Feb 10 15:44:59. So Arch was one of the first, if not THE first, which provides a security update. And in addition to this we did an announcement! Well our kernel has version 2.6.24.1, but it includes the fix. it is not named 2.6.24.2 because it was relased BEFORE the upstream update.

So I would conclude that Distrowatch do not know what they are talking about!

Offline

#8 2008-02-18 12:56:53

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Re: Distrowatch weekly taking a dig at Arch

bangkok_manouel wrote:

Check out the date, you are safe here...
http://cvs.archlinux.org/cgi-bin/viewcv … 24.2.patch

Hmm it appears Distrowatch are in fact wrong. Unless they're referring to how long it took for this change to leave the Testing repository.


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#9 2008-02-18 12:58:15

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Re: Distrowatch weekly taking a dig at Arch

Pierre wrote:

Distrowatch is wrong! We fixed the vmsplice security whole at Sun Feb 10 15:44:59. So Arch was one of the first, if not THE first, which provides a security update. And in addition to this we did an announcement! Well our kernel has version 2.6.24.1, but it includes the fix. it is not named 2.6.24.2 because it was relased BEFORE the upstream update.

So I would conclude that Distrowatch do not know what they are talking about!

Ah thanks for the confirmation that Distrowatch have no idea what they're talking about big_smile Distrowatch weren't even slightly wrong too. Tut tut


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#10 2008-02-18 13:00:51

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Re: Distrowatch weekly taking a dig at Arch

Distrowatch Weekly wrote:

But a quick look at their core tree reveals that six days after the vmsplice() vulnerability was published, it still only lists the vulnerable 2.6.24.1 kernel (correction: Arch Linux released a fix on February 10th).

Did this just get fixed, or did I completely oversee this before? At least its corrected now smile

They should really change the table so that Arch are at the top, before the might Debian big_smile

Last edited by dyscoria (2008-02-18 13:01:24)


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#11 2008-02-18 13:02:02

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,950
Website

Re: Distrowatch weekly taking a dig at Arch

dyscoria wrote:
bangkok_manouel wrote:

Check out the date, you are safe here...
http://cvs.archlinux.org/cgi-bin/viewcv … 24.2.patch

Hmm it appears Distrowatch are in fact wrong. Unless they're referring to how long it took for this change to leave the Testing repository.

The kenrel was moved to [core] after a few hours of intensive testing. So the one who wrote that article did not even read the news on our front page. (right, this makes me a little angry :-))

Offline

#12 2008-02-18 13:08:01

FeatherMonkey
Member
Registered: 2007-02-26
Posts: 313

Re: Distrowatch weekly taking a dig at Arch

I agree I was monitoring Suse and Arch whipped there butts by a day or 2.

security announcements are redundant ... So it seems they must be for Suse

Last edited by FeatherMonkey (2008-02-18 13:09:30)

Offline

#13 2008-02-18 13:09:41

dolby
Member
From: 1992
Registered: 2006-08-08
Posts: 1,581

Re: Distrowatch weekly taking a dig at Arch

they added (correction: Arch Linux released a fix on February 10th) but the original article still stands there. i am not happy


There shouldn't be any reason to learn more editor types than emacs or vi -- mg (1)
[You learn that sarcasm does not often work well in international forums.  That is why we avoid it. -- ewaller (arch linux forum moderator)

Offline

#14 2008-02-18 13:12:18

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Re: Distrowatch weekly taking a dig at Arch

They've just added an explanation for the dig too in the comments section:

ladislav 2008-02-18 13:08:42 wrote:

OK, my mistake, I didn't see the forum post.

Still, a random developer's post on a forum is not quite the same as GPG-signed, detailed advisory published on a mailing list dedicated to security. Arch has a mailing list already - why can't they just add another one?

The point here is that a user shouldn't have to LOOK for security advisories, they should be delivered to the user via mailing lists or RSS feeds. The Arch way is not right - what if I don't visit their forum or if I only visit once a month? Then I am excluded from finding out about any security problems.

Some distributions do this right, some don't. Those that don't should consider fix it. That's the point of the story.

I agree with dolby, this article should be ammended properly, especially with such a big error.

Last edited by dyscoria (2008-02-18 13:20:25)


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#15 2008-02-18 13:14:25

FeatherMonkey
Member
Registered: 2007-02-26
Posts: 313

Re: Distrowatch weekly taking a dig at Arch

^^ Dismal do security guys really rely on Distro security notices seems poor to me.

I personally think you would of had to live in a bubble to miss this, then you might of needed a mailing list.

Last edited by FeatherMonkey (2008-02-18 13:20:49)

Offline

#16 2008-02-18 13:19:46

Mardukas
Member
From: Lithuania
Registered: 2007-08-05
Posts: 87

Re: Distrowatch weekly taking a dig at Arch

Me neither. Let's DoS distrowatch.com! \o/

Offline

#17 2008-02-18 13:22:45

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,950
Website

Re: Distrowatch weekly taking a dig at Arch

...and btw: we have sent an announcement to the ml. How should we contact users which do not visit our homepage, nore read rss, nor mailing-lists nor irc etc.?

Offline

#18 2008-02-18 13:24:33

FeatherMonkey
Member
Registered: 2007-02-26
Posts: 313

Re: Distrowatch weekly taking a dig at Arch

esp lol

Offline

#19 2008-02-18 13:25:06

dyscoria
Member
Registered: 2008-01-10
Posts: 1,007

Re: Distrowatch weekly taking a dig at Arch

Pierre wrote:

...and btw: we have sent an announcement to the ml. How should we contact users which do not visit our homepage, nore read rss, nor mailing-lists nor irc etc.?

Easy, send a letter by post! Maybe even call them personally!
There's no such thing as lack of resources big_smile


flack 2.0.6: menu-driven BASH script to easily tag FLAC files (AUR)
knock-once 1.2: BASH script to easily create/send one-time sequences for knockd (forum/AUR)

Offline

#20 2008-02-18 14:07:43

VikM
Member
Registered: 2007-11-10
Posts: 50

Re: Distrowatch weekly taking a dig at Arch

Let me put some gas on fire, the distrowatch article is wrong but there are some things that might keep some security conscious people away from Arch:
- change logs. For example php 5.2.5-4 was released a few days ago. Why? Is there a critical bug-fix, so I should upgrade as soon as possible, or can I wait until my regular update schedule? (Otherwise php is a great package in arch, thanks Pierre)
- some packages are quickly updated, some not. See http://bugs.archlinux.org/task/8613, from 2007-11-20 to 2008-02-11 to apply some simple patches. Even 2007-11-20 was quite late. Is someone looking on others distros security changelogs or security sites to see what is happening around?
- the arch way, as vanilla as possible, config files as default as possible is not always the best approach. The denyhosts problem, the xorg default config listening on the net are two examples fixed as result of users requests, great, but they where obvious...
- since when is iptables 1.4.0 out? 2007-12-22. Not crucial, but again this raises the question "how much does Arch care about security?"
Not to mention Fedora/RedHat/Gentoo/OpenBSD (at least) usage of hardening gcc switches for theirs packages. These switches are in vanilla gcc since 2005. Fedora/RedHat also uses the vanilla kernel's selinux.

Offline

#21 2008-02-18 14:23:41

Pierre
Developer
From: Bonn
Registered: 2004-07-05
Posts: 1,950
Website

Re: Distrowatch weekly taking a dig at Arch

You're right, but that was not really the topic of the article. I think we should discuss this in a separate thread. (imho an important topic, too)

Offline

#22 2008-02-18 14:41:37

VikM
Member
Registered: 2007-11-10
Posts: 50

Re: Distrowatch weekly taking a dig at Arch

Offline

#23 2008-02-18 15:23:20

fwojciec
Member
Registered: 2007-05-20
Posts: 1,411

Re: Distrowatch weekly taking a dig at Arch

I just posted a comment about this on the Distrowatch comments section.  I encourage everyone to post there also until the article is revised to be somewhat closer to reality.  Ladislav made a correction in the text, that's true, but Arch is still listed as one of the "trouble" distros, the text of the article targets Arch developers specifically as having an incorrect idea about security updates, and a later comment by Ladislav (in the comment section) suggests that Ladislav is still not fully aware of the extent of his misrepresentation of Arch.

Personally I think that we should complain until Arch is *recognized* as one of the *fastest distros* to provide the fix to this security issue to their users!!!

Offline

#24 2008-02-18 16:11:51

tlaloc
Member
From: Lower Saxony
Registered: 2006-05-12
Posts: 350

Re: Distrowatch weekly taking a dig at Arch

I am more concerned with ladislav's expression "random developer" (quoted above). I haven't checked yet who was meant/attacked there - and frankly, I don't care. I would stubbornly cling to my belief that Arch devs are not chosen at random.
(And please, don't tell me: That's what you WOULD LIKE to believe ...)

Offline

#25 2008-02-18 16:46:52

Pudge
Arch Linux f@h Team Member
Registered: 2006-01-23
Posts: 298

Re: Distrowatch weekly taking a dig at Arch

I have been using the Archlinux site for updating lately because the mirror I usually use is out of date.  I JUST NOW changed back to my usual mirror and did a pacman -Syu.  Here are my results:

:: Synchronizing package databases...
core                      23.7K  255.0K/s 00:00:00 [#####################] 100%
extra                    303.3K  949.9K/s 00:00:00 [#####################] 100%
community                335.9K 1071.0K/s 00:00:00 [#####################] 100%
:: Starting full system upgrade...
warning: firefox: local (2.0.0.12-2) is newer than extra (2.0.0.11-2)
warning: flex: local (2.5.33-4) is newer than core (2.5.33-3)
warning: kernel26: local (2.6.24.1-2) is newer than core (2.6.23.14-1)
warning: lib32-cairo: local (1.4.14-1) is newer than community (1.4.12-2)
warning: lib32-gcc-libs: local (4.2.3-3) is newer than community (4.2.2-3)
warning: lib32-gtk2: local (2.12.7-1) is newer than community (2.12.5-1)
warning: lib32-libtasn1: local (1.3-1) is newer than community (1.1-1)
warning: lib32-libxmu: local (1.0.4-1) is newer than community (1.0.3-1)
warning: lib32-pcre: local (7.6-2) is newer than community (7.5-1)
warning: licenses: local (2.3-1) is newer than core (2.2-2)
warning: mplayer-plugin: local (3.50-3) is newer than extra (3.50-1)
warning: nvidia: local (169.09-2) is newer than extra (100.14.19-6)
warning: nvidia-utils: local (169.09-1) is newer than extra (100.14.19-2)
warning: pcre: local (7.6-2) is newer than core (7.5-1)
warning: sshfs: local (1.9-1) is newer than extra (1.8-1)
warning: truecrypt: local (4.3a-12) is newer than extra (4.3a-11)
local database is up to date

The mirror in question is:
ftp://locke.suu.edu/linux/dist/archlinu … /os/x86_64

There are sixteen packages that I have installed that are not up to date, INCLUDING kernel26.  So for anyone who uses this mirror exclusively and did not read the front page in order to change mirrors, this important change is STILL not available.

In all fairness, perhaps someone from distrowatch checked one of our mirrors that is out of date.  I realize that Arch Linux is not responsible for the actions of the mirror sites, but what the mirror sites do affects Arch's image.  Do we need to exercise more control over the mirrors?  Is it even possible to control the mirror sites?

Pudge

Offline

Board footer

Powered by FluxBB