I've watched with growing dismay as Debian's press officer continued to blog prognostications of doom for the future of Debian security, which have done nothing but whet the press's appetite for a story of impending disaster. I find this kind of blogging to be irresponsible in the extreme; not only does it not help fix the problems, it doesn't even help users make informed decisions because it doesn't contain salient facts.
Here are a few facts to go along with Joey's blog entry "Debian Security still broken":
- Three security advisories had already been issued for sarge on July 1. Binaries for the arm architecture were not included, but most users were covered by the binaries that were made available.
- The arm autobuilder has since caught up with those advisories, so updated advisories will probably be available soon. In addition, three more security advisories were issued for sarge on July 5 that include binaries for all architectures, and two more have been issued so far today.
- Security updates for woody were not being built on ia64 and arm because no buildd was configured to do so. (These are the missing builds Joey blogged about.) Once this issue was identified, it was quickly resolved; in any case, it had no impact on the infrastructure for sarge updates.
- Joey correctly identified in his blog that there was an issue with two packages (one each from woody and sarge) not being picked up for building. Once this issue was identified to the people responsible for the infrastructure, it was quickly resolved.
- There was one last missing sarge build on m68k, for zlib. This was a case of the package going missing after being built; this is something that happens from time to time with the autobuilders; it doesn't point to a (fixable) software failure, the only thing to be done is to re-try the build. This was done, and the advisory was issued today as DSA 740, before the corresponding advisory from Red Hat...
- Lest this be seen as a fluke instead of being representative of Debian's security support going forward, it looks like there are six more advisories in the queue for sarge and about a dozen pending for woody.
- While I agree that there's a need for Debian to expand its security team, following the controversy in June we now have three security team members actively working on security (two full members and a security team secretary), which AIUI is a 50% increase over where we'd been earlier this year.
- And let's not forget Joey Hess's reminder that quantity isn't everything where security is concerned.
I share Joey Schulze's dissatisfaction with the state of security support for this past month, but his blog smacks of bitterness, not of measured objectivity. So here we are, five days after the first security advisories have been published for sarge, and new stories are still appearing in the press reporting that Debian is OMFG broken.
Is there any hope that the press will give the same coverage of the story that Debian's security infrastructure is not broken?