[conspire] Ubuntu, Knoppix, & other Debian-derived distros

Fri Oct 15 13:12:20 PDT 2004

William R Ward <bill at wards.net> wrote:
> 
> So, what happens to security updates with all these other distros?  Do
> they have security teams that provide patches whenever a Debian Woody
> security patch is released?
> 
> I'm tired of the way Woody is so outdated, but I really like the way
> the Debian security team does such a good job of staying on top of the
> patches.

Really good question.

Knoppix doesn't do updates as such, at all.  Much as people have come to
regard it as an easy way to install a mostly-Debian[1] system, it's
important to remember that it's intended to be first and foremost a 
live-CD distribution.  Heed the warning you're always shown when you
choose to run the installer script in /usr/local/bin:  That script is
unsupported, beta, and provided as a third-party contribution.  Klaus
and co. are happy that people find it useful, but those are not the
target audience.

You can "update" Knoppix by either downloading a new ISO or by using the
apt-get mechanism to make the installed system converge to one of the 
Debian development tracks (probably testing or unstable -- or my
personal favourite, testing w/access to unstable packages as desired).

Ubuntu, being a brand-new distribution, so far has just a placeholder
page where it aims in the future to have information about a "Security
Team", but there's a wiki page:
http://wiki.ubuntulinux.org/SecurityPolicy  Ubuntu does have a security
section of its (separate) repositories.  Only time will tell whether
they're able to effectively keep up.

Generally speaking, each of the other Debian derivatives is in one of
the three (arguably rickety) boats outlined above.  Either:

1.  The distribution uses some Debian branch snapshot as an initial
    point of departure and issues its own security-update packages from
    its own apt repository, or 

2.  The distribution does likewise but with _no_ security apt
    repository, e.g., because it's a live-CD distribution, or

3.  The distribution relies on Debian for that maintenance function.

Slight change of topic:  Conventional wisdom holds that Debian-testing 
gives you the worst possible security coverage:  The Debian Security
Team doesn't promise to cover the ass of any package maintainer who
fails to backport (if necessary) and release timely updates, unlike with
the stable branch.  And the quarantining scripts prevent immediate
access to new upstream maintenance releases, unlike with the unstable
branch.  This is quite true, as far as it goes.  (The quarantining
scripts hold up packages' populating into testing from unstable a
minimum of two days, with possibly more, depending.)

However, I've always found testing's two judicious steps back from the
bleeding edge to be a compelling advantage, so I considered ways a
non-novice might narrow that gap -- and found my solution:

1.  Subscribe to the security-alerts mailing list (to get DSAs = Debian
Security Advisories).  Skim-read them as they arrive, to spot anything
relevant to your system.

2.  Add "unstable" lines to /etc/apt/sources.list , but use something
like this /etc/apt/preferences entry to keep their pin-priority low:

  Package: *
  Pin: release a=unstable
  Pin-Priority: 50

Then, you're still tracking the testing branch by default, but can have
instant access to unstable-branch packages (and their dependencies),
just by including "-t unstable" when you call apt-get.

(People using front-ends like aptitude can probably do that, too; I
just don't have relevant experience.)

[1] Knoppix seems to be about 90% Debian-unstable, 5% Mandrakelinux, and
5% Something Else Entirely.  FYI.