Software repositories and vulnerabilities


#1

I find the whole concept of software repositories extremely flawed, especially from a security standpoint.

It makes sense for the operating system to have easily updateable repositories (especially with a rolling release like PureOS - flaws can get patched and updated as soon as devs get to it), but why on Earth does every Linux distro keep an outdated list of non-essential software? (i.e. not the OS)

Case in point (please correct me if I’m wrong) - as soon as Meltdown / Spectre were announced, Mozilla were fast in developing a temporary patch. If you rely on software repo’s to update FF for you, you’re not going to get that patch for weeks / possibly months.

Coming from a Windows background, this seems odd and stupid. It doesn’t seem like Linux has ppa’s (which apparently is a security no-no?) for every app out there and keeping your non-repo apps up to date by downloading a new version via a web browser every time is an administrative nightmare.

To me, this is the biggest hurdle I see for potential Windows users coming across to the Linux ecosystem. Non-OS software installation and administration is a total mess - you’re always running old or out of repo software to stay up to date. I know of some initiatives like Flatpak and AppImage, however that is not globally used across the broad spectrum of applications in the Linux space.

Speaking more broadly about the Linux ecosystem; what I can’t understand is why so much developer talent is wasted on creating 50 flavours of a desktop environment, when perhaps what the space needs is some consolidation and perhaps some effort directed to application management that doesn’t involve software repositories.


#2

i would suggest a torrent agregator program that would notify and distribute whole software repositories to every node in the network for both redudancy and speed. the system would begin by a temporary analysis of the point of origin and MAN networks available and then work up to the WAN networks.
the system would not require any form of logins or account rather it would just use a tracker mantained by the root DISTRIBUTION like FEDORA, DEBIAN, GENTOO, OPEN-SUSE etc. the big ones. the derivative distributions would just use different administration accounts on the same tracker but be a sub-directory from the main root. there would also need to be a way to encourage users to contribute time spent on the network and bandwith provided. some sort of compensation.

anyway that is just a thought. i’m not a fan of the fragmentation in the GNU/LINUX space either.


#3

Good distros have a security team that pushes security updates immediately. I know that Debian and Ubuntu have such teams. All officially supported apps in the repos receive timely security updates. For example, the meltdown and spectre patches were pushed pretty much immediately. I do not know if PureOS has an official security team that pushes timely security updates yet.


#4

Since PureOS tracks Debian testing, I’m pretty sure PureOS gets security updates pretty much as soon as they are available in Debian. I might be wrong though.


#5

I thought that PureOS tracks Debian Unstable rather than Debian Testing. I could be wrong there.

I’m afraid you are wrong here. The Debian security team only makes sure that Debian Stable gets timely security updates. Debian immediately publishes security advisories as soon as they learn about vulnerable packages and they publish updates as soon as possible. Further, the Debian security team coordinates with upstream vendors to publish these updates before the vulnerabilities are public.

From the Debian Security Team FAQ:

Q: How is security handled for unstable?

A: Security for unstable is primarily handled by package maintainers, not by the Debian Security Team. Although the security team may upload high-urgency security-only fixes when maintainers are noticed to be inactive, support for stable will always have priority. If you want to have a secure (and stable) server you are strongly encouraged to stay with stable.

I’m not saying that PureOS is insecure. I’m only saying that I know that Debian’s software repositories are not “flawed” as @tez suggested. I am not sure about the repositories of PureOS. I would need to talk to the PureOS maintainers to find out.


#6

If this link in the tracker is accurate, I believe @taylor-williamc is correct about updates in general, though not necessarily security items. Note “The landing suite is synchronized with Debian testing main.” It still takes time to get to ‘green’ for us to see it.

I never have found or received a good explanation for how packages are propagated, and it is frustrating at times. I had to create a Task to upgrade Thunderbird for Efail, because it was months behind, even in April when I first received my Librem.