Ubuntu release and stats, Debian drops CAcert certificates and extends Squeeze support, Tails receives praise in the press, OpenBSD audits OpenSSL library, PC-BSD and Porteus updates



This past week saw the release of Ubuntu and the many community editions which draw from the Ubuntu software repositories. Despite the many controversies which have surrounded Ubuntu over the past few years, it remains a widely-used distribution, both on desktop and server machines. The latest Ubuntu release is a long-term support (LTS) offering, meaning it will receive security updates for the next five years. Community projects will, likewise, enjoy extended support for three to five years. Last week we mentioned our intention to review Ubuntu's main edition along with one community edition and opened the selection of which community distribution would be reviewed to a vote. In total, 70 people e-mailed in votes and nearly half the entries (after duplicate votes by people spamming the system were removed) were for Xubuntu. The Xubuntu project received 34 votes, followed by Lubuntu with 12 and Kubuntu with 11. Six people wrote in support for Ubuntu GNOME. Ubuntu Kylin, Ubuntu Server and Mythbuntu each received one vote. The Zorin OS distribution also received a vote, despite not being an official Ubuntu community edition. As a result of these votes, in the coming weeks we will be featuring reviews of Ubuntu and Xubuntu.



The Ubuntu release day always draws an enormous crowd to this website, but last Thursday was exceptionally busy, breaking many all-time records around here. The main page of DistroWatch received a total of 191,527 visits (an all-time high) of which 63,793 came from unique IP addresses. The Ubuntu page itself got 10,519 visits from unique IP addresses, also an all-time record for an individual distribution page. This was rather surprising considering that the official Ubuntu 14.04 announcement was made unusually late in the day, about 7 hours before midnight GMT (although the Ubuntu page had been updated for 14.04 a lot earlier - at around 04:00 GMT). The overall number of visits on the Ubuntu page on Thursday, Friday and Saturday came to 21,551 page hits from unique IP addresses - also an all-time record. For comparison, the equivalent number for the Ubuntu 13.10 release was only 14,913. Of the official Ubuntu derivatives the second most popular in terms of page views over the three days was Lubuntu (8,383), followed by Ubuntu GNOME (7,748), Xubuntu (6,919), Kubuntu (6,020), Ubuntu Studio (3,686), Ubuntu Kylin (3,641) and Mythbuntu (2,512).



* * * * * One of the big issues when dealing with security is knowing who to trust. On the Internet it can be difficult to know to whom we are talking. This leads to a form of authentication called certificates which, hopefully, links people together in an unbroken chain of trust. At the root of these certificates of trust are certificate authorities , organizations which act as third-parties who help confirm the identity of a certificate holder. Because of their important position in the process of verifying a person's or organization's identity, the security processes of a certificate authority are very important. The Debian distribution recently made the decision to stop supporting certificates signed by CAcert, an organization which offers free certificates and supplies its source code under an open source license. Concerns were raised in a bug report as to whether CAcert maintains proper security practices and Debian has decided to stop distributing their root certificate. The move to drop CAcert's certificate was met with much debate over which certificate authorities should be trusted and why. Daniel Kahn Gillmor, in particular, raised an interesting concern, stating: " Some of these CAs are simply "too big to fail" right now; CAcert is not, so they're getting called out for their lack of security, whereas we simply can't afford to drop the other CAs because users would complain about not being able to reach their favorite websites. This tension results in further concentration of business among the "too big to fail" CAs (since they're the only ones who can issue acceptable certs, which ironically results in them being even less accountable to relying parties in the future. This is not a good long-term dynamic. "



It has been rumoured for a while, but last week it became official - the current "oldstable" version of Debian GNU/Linux (version 6.0 "Squeeze") will receive extra security support lasting until February 2016. This will effectively make Squeeze a long-term support release, as it will have received a total of five years of security support (instead of planned three). From the announcement: " This is an advance notice that regular security support for Debian GNU/Linux 6.0 (code name "Squeeze") will be terminated on the 31st of May. However, we're happy to announce that security support for Squeeze is going to be extended until February 2016, i.e. five years after the initial release. This effort is driven by various interested parties / companies which require longer security support. See the "LTS" section of for the initial announcement. The details are currently being sorted out and a more detailed announcement will be made soon.



FreedomBox is a community project which attempts to put together all the pieces a home user would need to easily host their own server. The idea behind FreedomBox is to allow people to create their own infrastructure for hosting web content and Internet-based communication, removing reliance on third-party service providers. One of the goals of FreedomBox is to allow users to gather and assemble all the required FreedomBox components from within an existing Debian installation. That goal has nearly been reached, " Today, the last of the packages currently used by the project to created the system images were accepted into Debian Unstable. It was the freedombox-setup package, which is used to configure the images during build and on the first boot. Now all one need to get going is the build code from the freedom-maker git repository and packages from Debian. And once the freedombox-setup package enters testing, we can build everything directly from Debian. " With this move the project is one step closer to making it easy for home users to install the FreedomBox software on inexpensive consumer hardware.



* * * * * It is not often we hear of Linux being mentioned in the mainstream media and it is very rare indeed when we hear talk of specialty distributions. It is a pleasant surprise to see the Tails security-oriented distribution being discussed on the Freedom of the Press website. Tails, a Debian-based project that focuses on privacy and security, was applauded for its role in helping journalists work privately and communicate with sources securely. One journalist, Barton Gellman, was quoted praising the Tails distribution, saying: " Privacy and encryption work, but it's too easy to make a mistake that exposes you. Tails puts the essential tools in one place, with a design that makes it hard to screw them up. " The article points out the Tails project has limited finances and invites people to donate to Tails in order to help preserve freedom of speech and freedom of the press.



* * * * * Keeping an operating system and its many packages up to date with security patches can be a daunting and confusing task. In few places are the challenges more apparent than in operating systems such as PC-BSD, where multiple package formats and installation vectors are supported. PC-BSD users often have the base operating system, packages, source ports and PBI bundles all installed at the same time. Luckily, the PC-BSD project is moving forward with a unified upgrade solution which helps users keep all aspects of their system up to date. " Update Center is moving forward, and has received some fine-tuning this week to help bring it into PC-BSD as the one-stop utility for managing updates. We'd like to add a special thanks to the author Yuri for primary design and layout for the update center. Ken will also be working to help smooth out GUI design elements and help with integrating it fully into PC-BSD. "



* * * * * In the wake of the Heartbleed bug, a vulnerability in the OpenSSL cryptography library, developers of the OpenBSD operating system have decided to audit and improve OpenSSL's code. A post on Undeadly reports: " The denizens of lobste.rs (and no doubt you, eagle-eyed reader!) have made note of the ongoing rototilling of the OpenSSL code in OpenBSD, and Joshua Stein has chimed in with a quick breakdown of the action thus far. " The post goes on to list aspects of the OpenSSL code which are being examined or changed. FreeBSD developer, Poul-Henning Kamp, has also weighed in on OpenSSL and has some comments on why security is so difficult: " No one was ever truly in charge of OpenSSL, it just sort of became the default landfill for prototypes of cryptographic inventions, and since it had everything cryptographic under the sun (somewhere , if you could find out how to use it), it also became the default source of cryptographic functionality. I'm sure more than one person has thought "Nobody ever got fired for using OpenSSL". And that is why everybody is panicking on the Internet as I write this. "



* * * * * Last week several readers have alerted us to the fact that the website of Porteus, an excellent Slackware-based distribution with a choice of several lightweight desktop environments, has gone AWOL (absent without official leave). Although the brief note on the website was alarming, it turned out that the problem was simply the result of bandwidth limitation. A few days later a post by the website's administrator explained the unfortunate event that made the project (including its repositories) inaccessible: " As some of you have noticed porteus.org went down yesterday. We got plenty of emails and messages from people asking what happened (some were even funny like 'is Porteus dead?'). The answer is: 'we had some troubles but were able to overcome them after some heated discussion. Overall - we are back and stronger.' What actually happened? Here is the whole story: Porteus is a non profit organization which has not generate any direct income so far. Our funds come only from donations and DuckDuckGo search engine. Maintaining a distro means expenses - we have to pay for the server, domain and SSL certificate. ... Everything was nice and dandy till Porteus grew in popularity: 3.0 release almost killed our server. The situation became awkward when Porteus (which is hosted for free) started affecting the clients who pay money to get served. "



