Why no security updates for Linux?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
This is a beginner's question.  I've been using Xandros v.2.0.1 for
almost a year, and during that time Xandros has issued only one "general
security update".  That was in July 2004, nine months ago.  Surely,
since that time security vulnerabilities and bugs must have been
discovered in the kernel (v.2.4.22) and/or in the hundreds of pieces of
software that make up the Xandros Standard distribution that would
require patches or fixes.  Yet no word on that from Xandros.

A contributor to this newsgroup recently inquired about the response
time for different Linux distributions to patch packages after an
exploit was made public, noting that Fedora was pretty fast, responding
almost always within the same day, whereas Debian could take an extra
day or two to put out the update.  Xandros is based on Debian.  Why are
there no announcements of security patches by Xandros?

When I raised this question in a Xandros user forum, I got one or two
responses that didn't clarify anything.  One person said that for Debian
security patches are only applied to the stable release, not testing,
which Xandros is based on.  He also said that where a security patch
applies to a relevant desktop application Xandros will release the
patch.  I haven't seen any such specific patches either.

Am I understanding it correctly that Debian will release security
patches for software that's often more than two years old (i.e.
"stable") but none for anything that's more recent?

Would someone be so kind to enlighten me on the issue of security
vulnerabilities of the Linux kernel and of all the open source software
that's layered on top of it (not for servers but for desktop systems)?
Is all of this software bug-free and essentially hacker/cracker-proof?
What are the security upgrade policies of the various distributions?

I gave up on Windows XP eighteen months ago because I got totally fed up
with the never-ending stream of security upgrades (many of them
CRITICAL) that Microsoft had to issue at a rate of one or two a week.
It hasn't gotten any better since that time.  But I must say I find the
comparative quiet on the Linux front a little eerie.  What do I have to
do to keep my Xandros OS secure?

Many thanks for your help.


Re: Why no security updates for Linux?

Quoted text here. Click to load it

Strange, there are at least 114 security related updates
concerning RHEL 3.0 this year (2005) in addition to the numerous
security updates 2004. Looks like there's some problem with your
updates or Xandros isn't really serious about security? Never
used this distro.


Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 87: Password is too complex to decrypt

Re: Why no security updates for Linux?

Robert Glueck wrote:
Quoted text here. Click to load it


Quoted text here. Click to load it
I don't know Xandros either, but you should try to find out what other
Xandros users do. A Google over the groups might help.

I've run Debian testing (Sarge) since about August last year. I've seen
people say that in the run up to release, Sarge is receiving security
updates, and I've seen others say it isn't. If release is indeed
imminent once most of the release-critical bugs are beaten, it would not
make sense to have to instantly create a lot of security fixes,
previously ignored, for the new stable.

I've certainly picked up quite a few updates since August. There was a
megabyte or so today, although it's a few days since I last looked. Most
are not new security bug-fixes, they are the result of the large
bug-fixing effort before release of Sarge to stable. I'm reasonably sure
that when I see a Debian security report on a package I use, I do
usually notice it in my updates. There's no possible doubt that there
have been security fixes since last July.

Have a look at http://www.debian.org/security/ for details of security
issues. Note that Sarge is not running state-of-the-art versions of
software, and that many security updates for e.g. FC3 will not apply to

What I don't know is whether Xandros uses standard Debian packages. I
would have thought so, in which case you can use 'apt-get update'
followed by 'apt-get upgrade' to pick up appropriate updates. Do you
have a file called /etc/apt/sources.list? If so, apt-get should work. Be
prepared for a long download session.

Assuming the apt-get infrastructure is in place, you should replace any
references to 'testing' in sources.list with 'sarge'. That way there
will not be a sudden realignment of target system when Sarge does become
stable, and a new testing is split off and begins to change rapidly.

Re: Why no security updates for Linux?

On Fri, 22 Apr 2005 22:34:39 -0400, Robert Glueck wrote:

Quoted text here. Click to load it

Maybe Xandros only issues security updates for the Xandros specific parts
of their distro, and the user is supposed to get the other updates from

Re: Why no security updates for Linux?

Quoted text here. Click to load it

I would be inquiring to Xandros. Yes, there should be updates, quite
a pile of them.  However, fumbling around the www.xandros.com site, I
see virtually nothing related to security that's worth a tenth of a
candle. Under the support tag, you can ask about security updates, and
they list just one for all versions. Sorry, but that gives me ZERO
confidence that they have a clue. I would strongly be looking at a
different distribution... ANY other.  Heck, even fedoralegacy.org
gives better support to Red Hat 7.3 right now, a distribution that has
been end-of-life for over 15 months.

Quoted text here. Click to load it

I can't answer to microsoft's service. Were you to subscribe to Bugtraq,
you'd see a few updates every day, but these are being announced by the
dozens of distributors. Linus doesn't release notices of updates for the
kernel, and remotely exploitable problems are comparatively few - local
exploits are more common. However, all of the "stuff" that comes with
a typical distribution is normally separately maintained, so a bug
found in 'shar-utils' is fixed by the maintainer, and then the various
distributors will release their patches. For Debian, I see 18 updates
listed on my Bugtraq spool, while Ubuntu (another Debian clone) has 13.
As noted above, I'd SERIOUSLY be looking at a better distribution, as it
doesn't appear that Xandros is paying attention.

        Old guy

Re: Why no security updates for Linux?

Quoted text here. Click to load it


I agree. That is very wierd. I use SUSE and I don't think a week goes by
that I don't get a sec update. If there is nothing wrong with your update
process on the machine - i might want to switch distro's. that does not
sound right.

# cd /usr/src/
# make buildworld
"Uh God! We are gonna be here all night, aren't we?"

Site Timeline