I'm puzzled by the policy of Xandros regarding security updates for their Desktop OS, and I'm wondering how this matter is handled by other Linux distros.

Xandros issued the last security update for their Desktop OS v.2.0.1 (a "general security update") nine months ago. Since then Debian, on which Xandros is based, has released 179 security advisories (DSA-535 to DSA-714). This includes the following packages most of which are commonly used system programs (they are part of the default install of Xandros Desktop). The numbers in brackets are the DSA numbers (DSA = Debian Security Advisory).

libpng (*536), kdelibs (539), qt (*542), gtk+ (*549), imlib (*548), imlib2 (*549), xfree86 (561), sox (*565), libpng (*570), iptables (580), gzip (588), openssl (603), xfree86 (*607), htget (*611), imlib (*618), cupsys (*621), zip (*624), imlib2 (*628), exim (*635), glibc (*636), cupsys (*645), xine-lib (*657), kdelibs (*714)

The flagged packages (*) appear to have fairly serious security vulnerabilities, vulnerabilities that according to Debian "may be utilised by an attacker to execute arbitrary code on the victim's machine". In most cases, the DSA states "We recommend that you upgrade your xxxxx package", in a few cases it adds "immediately" (e.g. DSA-607 xfree86 xlibs package).

These packages are part of the base install of practically every Linux distribution. What has been the action of the vendor/developer of your distribution with regard to these vulnerabilities (did they post alerts and fixes?) and what did you as the user decide to do about them?

Can one simply shrug off these alerts as being inconsequential for a desktop machine configured in a standard way (see below), as it seems Xandros has done, or is there cause for concern and action?

Debian has supplied fixes for all of these for the woody distribution. Fixes are also available for many of them for the sid distribution or else, as Debian states, "the problem will be fixed soon". Strangely, for the sarge versions of these packages no patches appear to be available.

I'm running Xandros 2.0.1 as a desktop OS; no servers are enabled. I have a broadband connection to the Internet (computer > NAT router > cable modem > ISP). An iptables firewall (configured with Firestarter 0.92) is installed on my system, with Firestarter's default settings (DHCP, access to all services disabled, ToS filtering and ICMP filtering disabled); the firewall is enabled at bootup.

Should I be concerned about the absence of security updates coming from Xandros?

Thanks for your help.

Robert

Xandros is supposedly a clone of debian stable, potato, and doesn't have as many updates due to that. Also, Xandros doesn't have development tools and many of the apps running that potato does so there isn't much to update. You'll notice the install is quite fast, and there is a reason for that. There ain't much there.

It's more of a comfort OS, where people can be windows weenies without windows. Office, email, AIM/AOL, and other click me stuff that makes gerbils get antsy around you- all to make you feel at home. It's a good OS for recent converts, but going beyond the cloud of http program installs put's you outside of Xandros's support. They only support their programs included on the CD- nothing more.