SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Yes, 6 weeks is not all that long, but if you take a look at what's been done over the last 8 months or so since 13.37 released - it's not all that much, and that paints a slightly different picture. However, all this talk about 'current' is a bit of a red-herring and there's no direct harm from Pat taking some time-out from developing 'current'. What is starting to become an issue though is that the last stable patch was on the 27th of November and people are starting to notice. This added to the lack of progress with 'current' (which isn't a problem in and of itself) is rightly, or wrongly, giving the impression that no one is at the helm.
Now, maybe this is not an accurate reflection of what is really going on: Pat has never been all that aggressive about providing updates for security issues that he believes to be lower severity and this might very well just be business as usual, but; we're lagging behind on mozilla, proftpd has had an unpatched remote code execution vulnerability since early November, there's been openssl, php, dbus, freetype and a number of other vulnerabilities announced upstream and addressed by other distros and non have made it into Slackware stable's patches/ yet. If some people are starting to feel a little uneasy about the situation then it's not all that surprising.
This is all about perception, and what we don't want to happen is for more people to start to think like one of the commenters on that link I posted above:
Quote:
But, I felt the same a few years ago and this was one of the reasons I switched to Debian/Ubuntu - as they do release regular security updates, which made me feel somewhat 'safer'.
What is starting to become an issue though is that the last stable patch was on the 27th of November and people are starting to notice. This added to the lack of progress with 'current' (which isn't a problem in and of itself) is rightly, or wrongly, giving the impression that no one is at the helm.
I trust Alien Bob. If he says that updates are in the pipe that is good enough for me. I will wait. I suggest that we all take a collective deep breath and chill out a bit.
Yes, 6 weeks is not all that long, but if you take a look at what's been done over the last 8 months or so since 13.37 released - it's not all that much, and that paints a slightly different picture. However, all this talk about 'current' is a bit of a red-herring and there's no direct harm from Pat taking some time-out from developing 'current'. What is starting to become an issue though is that the last stable patch was on the 27th of November and people are starting to notice. This added to the lack of progress with 'current' (which isn't a problem in and of itself) is rightly, or wrongly, giving the impression that no one is at the helm.
Now, maybe this is not an accurate reflection of what is really going on: Pat has never been all that aggressive about providing updates for security issues that he believes to be lower severity and this might very well just be business as usual, but; we're lagging behind on mozilla, proftpd has had an unpatched remote code execution vulnerability since early November, there's been openssl, php, dbus, freetype and a number of other vulnerabilities announced upstream and addressed by other distros and non have made it into Slackware stable's patches/ yet. If some people are starting to feel a little uneasy about the situation then it's not all that surprising.
This is all about perception, and what we don't want to happen is for more people to start to think like one of the commenters on that link I posted above:
I guess you're right. While -current is not a problem, lack of patches for the stable release might be a problem for people. Personally, I just use Slackware as a desktop computer (with a local http testing server for my own purposes) so it's not that urgent for me but I can imagine how uneasy some people who use Slackware in a more serious manner (ie. production servers, etc) may feel about it.
There will be countless new patches made in the upcoming weeks/months that everyone is susceptible to right now -- we just don't know it yet. It's likely a false sense of security if one feels "safe" from the most current patches. Sure, it's good to be protected as much as possible but it's only PUBLICLY DOCUMENTED vulnerabilities.
Keep that in mind before you lose too much sleep about security updates. Unfortunately, the security risk is always there.
...It's likely a false sense of security if one feels "safe" from the most current patches. Sure, it's good to be protected as much as possible but it's only PUBLICLY DOCUMENTED vulnerabilities...
Hmm, sorry but that deserves a 'wat?'. If there is a publicly disclosed vulnerability, it makes every sense for an admin to feel safer for the system that has been patched than for the system that hasn't been, DUCY?
Hmm, sorry but that deserves a 'wat?'. If there is a publicly disclosed vulnerability, it makes every sense for an admin to feel safer for the system that has been patched than for the system that hasn't been, DUCY?
Slackware never has been nor will ever be a hold your hand distribution. As to my systems and vulnerbility I will take care of things as needed. If you feel a public disclosed vulnerability has been disclosed then why not let us know it. Thus we as users and supporters can help everyone. Here at LQ, we share & help each other all the time. How would this be any different?
Hypothesize all you want! That will not change the fact '-current' is slow for now. NO harm!
As other members have stated; Take a deep breath, relax and let us all take a step back to look with anticipation salted with patience & enjoy what we do have.
I don't know of any vulnerability I'm just saying that people should relax about being a few weeks back on security patches. Because, more then likely, there are (bad?) people who discover vulnerabilities and they may not chose to release them publicly. Just trying to point out
that even though you have all the updated "patches" that it doesn't mean you are secure. Sure, it helps... but just saying.
I don't know of any vulnerability I'm just saying that people should relax about being a few weeks back on security patches. Because, more then likely, there are (bad?) people who discover vulnerabilities and they may not chose to release them publicly. Just trying to point out
that even though you have all the updated "patches" that it doesn't mean you are secure. Sure, it helps... but just saying.
It is significantly easier to browse disclosed vulnerabilities and produce malware around it than to discover a 0-day exploit and produce malware before it is discovered. Security isn't a product, it's a process, and by leaving your system unpatched you are more likely to encounter malware. Malware in the wild is rare on Linux in general -- but that doesn't mean you should never update software. The vast majority of exploits in the wild are based on disclosed vulnerabilities, and those that are based on 0-day exploits often get disclosed soon enough as well. Right now none of these are being patched on Slackware.
I don't really care that -current isn't moving, but it is unsettling that stable isn't receiving security updates. Pat has always taken a pretty relaxed approach to security updates, but at least the major ones were covered. At this point in time, that can no longer be said. It's not enough of a worry to me (yet) to move on, but if the situation remains as it is 3 or 6 months from now...then using Slackware may no longer be the responsible choice. At *this* point though, I'm OK with riding it out, as long as Slackware isn't in limbo indefinitely.
While skilled black-hats with an arsenal of exploits for undisclosed vulnerabilities are no doubt out there, they're not likely to take much of an interest in the likes of us. The bigger threat is from script-kiddies running automated exploits for the latest vulnerabilities which they have downloaded, couldn't have written themselves and don't understand, and that is why keeping up with the latest updates is important.
While there is always a danger of being exploited with a zero-day, I suspect the number of systems actually compromised by such is not statistically significant.
I hope that if Pat chose to do something else (which I hope he doesn't, but will understand if he does), the rest of the Slackware team will decide to keep the ball rolling, even if with a different name. The other distros are annoying.
What the heck is the rush? System crashing? Slackware is not the sort of distro that needs constant updating. This frenzy for constant updates is just nuts. If a slack user gets nervous about all the "security flaws" just freaking update that package yourself. If I had my wish, PV would only release once a year with only monthly updates.
Let PV take a breather and/or hang with his family.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.