Erick’s Games


Older Games

Other Blogs




June 2008
« May   Jul »



Debian — troubling signs; can Slackware teach us anything?

June 11, 2008

This article will try to provide a contrast between ‘the Debian way’ and ‘the Slackware way’ when it comes to distribution management. The idea is to really attempt to illuminate people on why Debian, and many other distributions may not be ideal, and why a classic approach such as Slackware still has merit in this world of modern feature-crazy distributions.

I start this article knowing full well that it will offend people, even so, I think this needs to be said.

Now, for some background, I started using Linux sometime in 2000, my first distribution was Mandrake 7.0, and I eventually switched to Slackware 7.1 in order to try and accelerate my learning curve by forcing myself to use a more ‘pure’ environment, this worked fairly well. In the first year, my knowledge of the various modular components and how they fit together grew rapidly. At some point in 2004 I believe, I started using Gentoo on my laptop, and it quickly became one of my favorites. Several months ago, I realized I no longer wanted to spend valuable time waiting for various software packages to compile, I also grew very frustrated with their masking ‘feature’, and decided it would be time to look elsewhere.

And here finally, is the crux (no pun intended) of the story. Out of all the options out there, I figured my best bet would be Debian; after all, if there is one distribution that could be considered a ‘flagship’ of the Linux community, it would have to be Debian. Furthermore I liked the idea that like Gentoo, the base system came in a minimal configuration, and you added packages as you need them. Of course, because of various factors, I didn’t get the chance to do my migration right away, and it ended up being put off for a few months.

Then one day, while googling around for some info on XULRunner, I stumbled upon Mike Hearn‘s blog, where he was discussing Debian’s controversial method of forking software; it is old news, but still important to evaluate I believe. I have to say that this shocked me immensely. Despite not using the distribution yet, and therefore not being a ‘fan’ per se, I held a lot of respect for the project and it’s leaders, for fighting the good fight and standing strong when it came to software freedom. The notion that Debian could do any evil was alien to even a non-user like me. I read on and I found myself agreeing with Mike on pretty much all his points. I googled for more details on this controversy and discovered this which explains some more details about the whole incident. As near as I can see, the Debian maintainers feel that Mozilla’s linking strategy is not ‘unixy’ enough, and have decided to ‘correct’ that by changing the way the software functions on their distribution. This has the potential of breaking compatibility as noted by both Mike and Benjamin. And I would add that this is just a total slap in the face to the hard work of the Mozilla developers. Bottom line is, if you want to get all patch-happy on some piece of software, then change the name; the upstream developers do not deserve to suffer all sorts of support headaches simply because you decided to do your own thing.

The fun doesn’t stop there however. On May 13th, one of the most severe and critical security problems in years was discovered in Debian’s version of OpenSSL, and this problem affects Debian forks as well such as Ubuntu, Mint, DreamLinux (unconfirmed) and MEPIS. All of those are in the top 10 of DistroWatch as I write this (with Ubuntu in 1st place), except for MEPIS which is #12. The issue arose because once again, one of the Debian package maintainers decided to go their own way without including upstream developers in the process. The short of it is that Valgrind, a well known memory debugger, was coming up with “uninitialized data” warnings in code linked to OpenSSL. This apparently is a well known issue, and there have been discussions about why the issue comes up and what to do about it. It is related to the fact that Valgrind and IBM’s Rational Purify usually view “uninitialized data” as a bad thing, when in the case of a random number generator, it is actually necessary.

The Debian ‘patch’ essentially removes the ability for OpenSSL to generate random numbers properly, the result of which causes keys generated with OpenSSL on Debian (and it’s derivatives) to be extremely easy to guess in a short amount of time using an amateurish brute-force attack. Worse yet, this Debian ‘maintainer’ didn’t alert upstream developers to his ‘patch’ and therefore the problem went uncaught for years and has now put many unsuspecting users at risk.

I may not be a developer, but even I can see the absolute stupidity behind the OpenSSL debacle. And it is all because of their absolute refusal to respect the wishes of upstream developers regarding their software. This is nothing new of course; distributions have been doing this sort of bullshit for years. I recall back in the day when Red Hat ended up shipping a CVS version of GCC known as “GCC 2.96″, which broke compilation with many packages, the official stable GCC release at the time was 2.95.3, and this newer 2.96 version was actually a development snapshot for the upcoming 3.x releases. Then there was the whole controversy with various distributions shipping broken copies of MPlayer due to patent fears; SuSE and Debian (yep, them again) were two notable offenders as I recall.

Essentially, for whatever reason, some distributors seem to think that their Linux distribution is a proper place to dump all their dirty hacks and patches, and to completely spit at the hard work that upstream developers put into their stable releases. It is heartbreaking to see the community in this sort of uncooperative state.

Many years ago I read an opinion article titled “Does Slackware still matter?“, I remember being pretty miffed about the whole thing, but at the same time I couldn’t really produce a comeback. Over the years of course I’ve gained more insight into these matters, and I can now definitively say that, YES, it matters perhaps more than any distribution currently out there.

Patrick Volkerding started Slackware back in 1993, and the first release came on July 16th of that year. Originally not intended to be a serious project, it eventually grew, and exists to this day as the longest living Linux distribution ever. The philosophy behind the project very much obeys the “Keep It Simple, Stupid” philosophy, or KISS for short. The idea is that the system should shy away from over-reaching complexity and abstraction layers, and instead keep things clean. In following this philosophy, most of Slackware’s packages are often sparsely modified compared to their upstream counterparts, and given that this is a one-man project, it would be pretty difficult to go around patching everything and then having even more testing to deal with. There are some exceptions I would imagine, perhaps some security issues and so on; also, back when the Gnome environment came standard, Patrick would often have to clean up after the upstream Gnome, and make sure it doesn’t essentially ‘take over’ the system.

I truly believe that the Slackware way of distributing, is the right way, with minimal changes from upstream, and very few abstraction layers for configuration (bash scripts like netconfig are all that come to mind), as well as an easy to work with BSD init script set up, it is easy to see that Slackware does not ‘hide’ the system from you like many others do.

I mean let’s be clear, when you use Gentoo, with it’s bizarre init and config system, you don’t learn Linux so much as you learn ‘Gentoo’, and when you use SUSE, you don’t learn Linux so much as you’re just learning ‘SUSE’, and so on with every distribution. Now of course I may be exaggerating; after all there are more similarities than differences, and truly, experienced Linux users can easily pick up another distro and understand what’s going on. Besides, often many of the ‘default’ usual configuration files will point you in the right direction, like when editing resolv.conf on Gentoo, a note will mention how you have to add your DNS servers in /etc/conf.d/net instead. Even so, it does mean that there are serious challenges in administering many boxes with different distributions.

Of course, the first natural riposte to my article will probably be “are you against freedom of choice or something?”, and the answer to that question is no, I am not. I fully understand that everyone has the freedom to do things their own way, and of course, to the “Windows user” that joins the Linux community through Ubuntu, they probably don’t care whether resolv.conf is edited directly or whether there is some abstraction layer; but to people who want to learn system administration, it can be a pain in the ass to move between distributions if you haven’t learned how the system really works behind all the abstraction. And of course, it is a slippery slope; there are configuration hacks/abstractions, and then there are actual source code patches that change the behavior of the program in question; and we can see that this patch-happy attitude can often have some serious repercussions, like in the Debian OpenSSL case. If anything, I am not suggesting we all become robots and obey one standard ‘method’ of doing things, however I think there needs to be a more conservative attitude when it comes to breaking consistency with upstream. Let us remember that upstream projects develop the applications, and distributions are supposed to distribute.

To conclude and sum this up, when I download a package from a distribution’s repository, I think it is not unreasonable to expect the package to be the same as the one I would download from the upstream maintainer’s website. If it isn’t, then there isn’t really much of a point to pitching the idea of online package repositories as an alternative to traditional methods of software distribution. I think Mike Hearn’s example of a distribution mirror altering a package is a very good example, because in such a scenario, many individuals would be outraged and angry, and yet Linux distributions get away with this kind of thing all the time.

And that is pretty much all I have to say about that.

P.S.: As I said when starting out, I know some folks will be offended by this, and I know how articles and posts like this can easily cause flame wars, I hope there are no hard feelings. Also, it seems that one of the first instincts when reading an article like this is for people to question the author’s competency and so on, I hope you can manage to keep it civilized despite any disagreements you may have with my opinion.

Share and Enjoy:
  • Digg
  • Technorati

23 Responses to “Debian — troubling signs; can Slackware teach us anything?”

  1. 1
    see-achNo Gravatar Says:


  2. 2
    JDNo Gravatar Says:

    I will openly admit that the amount of patching in Debian can be bad (Ubuntu is MUCH worse though), but it’s done for a reason. In Slackware, every “official” package on the DVD’s is nearly ancient because they insist on testing it to death before they include it and it it’s not that well tested, it has to be 3rd party. Hell, it took 4 YEARS for Slackware to finally go to the 2.6.x kernel by default. Now, as for why Debian does this patching, it’s to make things work better within the distro. I run Debian Testing and i just had to mess with the file-roller package cuz i manually installed nautilus 2.22 and there’s a Debian patch which removed nautilus 2.22 context menu support since according to Debian, nautilus 2.22 “isn’t ready yet”. They prolly changed Xulrunner’s linking stuff so it would link better with Debian and the OpenSSL patch/bug basically came from upstream and was signed off on by like 3 OpenSSL devs, so it’s both them and the DD that are incompetent. Also, i’m at least VERY happy about what Debian does…Debian gives you a choice, for example, with desktop environments: KDE is the only choice on the Slackware media these days, they hate GNOME for some unknown reason, Debian on the other hand has GNOME, KDE and XFCE media and it has all of them plus a few others in the repos.

    I would highly suggest going to Debian, sure it’s got it’s flaws, but what distro doesn’t? In my slightly biased opinion (I have used almost every distro including Slack, Gentoo, Suse, Mandrake and many many others, but i am/was a Debian Developer) I think Debian is quite possibly the best linux distro, possibly second to only ArchLinux.

  3. 3
    JeffNo Gravatar Says:

    JD Thanks for being a troll!!!

    You said “In Slackware, every “official” package on the DVD’s is nearly ancient because they insist on testing it to death before they include it and it it’s not that well tested, it has to be 3rd party. Hell, it took 4 YEARS for Slackware to finally go to the 2.6.x kernel by default.”

    Lol get your facts right. Slackware is one of the most up to date distros when it ships a release. The problem with with not switching to 2.6 kernal was that 2.6 at the time was flaky and unstable.

    you also Said “Also, i’m at least VERY happy about what Debian does…Debian gives you a choice, for example, with desktop environments: KDE is the only choice on the Slackware media these days, they hate GNOME for some unknown reason, Debian on the other hand has GNOME, KDE and XFCE media and it has all of them plus a few others in the repos.”

    Slackware does hate Gnome in fact there are 4 or 5 Gnome package sets for Slackware ATM. Its just Gnome is not shipped with Slackware because gnome is a headache when trying to build it into packages its tends to break a lot of stuff and is really buggy by default. KDE is 10x easier to package.

  4. 4
    GeorgeNo Gravatar Says:

    I don’t get it. If all distributions are meant to do is distribute, what difference is there between all of them besides the mode of package management?

    Distributors are developers too, I think, and all the respect necessary is in AUTHORS.

    As someone who doesn’t know much about Linux but switched to it because it was more comfortable to use, I’m glad things aren’t the way you’d like them to be.

  5. 5
    JeffreyNo Gravatar Says:

    “Essentially, for whatever reason, some distributors seem to think that their Linux distribution is a proper place to dump all their dirty hacks and patches, and to completely spit at the hard work that upstream developers put into their stable releases. It is heartbreaking to see the community in this sort of uncooperative state.”

    That’s one side of the story. It’s the side of those upstream developers who follow proprietary development models and don’t really understand how free software is developed as a community effort. (Think of cathedral, not bazaar.)

    Then again, another side of the story is that many Debian patches are intended to make some piece of software work on all the architectures that Debian supports, but which upstream developers don’t always wish to support. (Debian supports more architectures than, for example, Slackware.)

    Also another side of the story is that some Debian patches remove non-free stuff, because upstream developers don’t always care for software freedom like Debian does. (Mozilla apparently doesn’t care.)

    And yet another side of the story is that Debian is probably one of the biggest single submitters of patches and fixes to upstream developers in the GNU/Linux community. The bug reports and patches that Debian keeps submitting to upstream developers improves the quality of software in all distros, including Slackware.

    So, what I want to point out here is that Debian has always been a good team player in the free software community. There are distros that just package upstream software, and then there are distros that improve that software and send the improvements back to upstream developers. Debian belongs to the latter category.

  6. 6
    Casper GielenNo Gravatar Says:

    I actually expect the packages in a distribution to be different from upstream. If it was exactly the same package, why bother with a distribution at all.

    The whole point of a distribution is to adapt software packages to conform to some standard.

    BTW, the SSL bug was a big screw-up, but to be fair, the maintainer did contact upstream to ask for advice, but due to some communication problems this bug was approved.

  7. 7
    JimNo Gravatar Says:

    JD already mentioned ArchLinux. That’s what it kept sounding to me like the original author was looking for.

  8. 8
    MichielNo Gravatar Says:

    “KDE is the only choice on the Slackware media these days”

    Actually this is not true. Slackware 12.1 includes KDE, XFCE, fluxbox, blackbox, fvwm2 and others.

    As pointed out earlier, Gnome was dropped because it was hard to maintain and package and there were already different projects out there that offered gnome for Slackware. Just a simple choice, not “hate”.

  9. 9
    JK WoodNo Gravatar Says:

    It’s interesting that some of the commenters here seem to be of the opinion that Slackware is behind the times. Quite to the contrary, Slackware is very up-to-date. If Pat holds off on a newer version of a piece of software, it’s due to stability, not hidebound dedication to old software. I’ve heard the same criticism applied to Debian (see the Debian page at Uncyclopedia for more on that.)

    @George: If you’re using Slackware, and most probably a few other distributions, then you are indeed using software that has been packaged for that distribution. If software is patched in a way that isn’t present in the upstream code, it’s duly noted in the changelog, and often fixes a major problem. In other distros, notably Debian, Ubuntu, and Red Hat, a package is not only repackaged for that distro, but also patched heavily, often in ways not present in the upstream code. Sometimes, this is to fix major flaws, but more often it fundamentally changes the way the software works. This can be a good or a bad thing, depending on how you look at it, and the specific change in question. The kernel comes to mind.

    @Casper: Yes, but if you’re going to make a huge change to the code, you should note it somehow. For example, change the name of the code, or append a tag to it that shows it’s not vanilla and may not be upgradable to a newer version of the original software. In other words, if you’re going to fork the code, fork the code, and let the user decide!

    @Jeffrey: Again, if you’re going to modify the code that heavily, fork it, don’t pretend like you’ve left the original code alone. Here’s the thing you’re missing in your description of free software: freedom doesn’t mean anarchy. If anyone anywhere can make any change they want to code, as you propose, then what’s to stop one of my less scrupulous classmates from deliberately coding a flaw into OpenSSL, or Mozilla, or even the kernel? Without some form of control, the entire open source community would fall apart. Some form of accountability is needed. Yes, Debian has contributed back to the community: that doesn’t make them saints. All the folks hard at work on Slackware have also contributed back, but you’re not heaping praise on them.

    @OP, whoever you may be: Very articulate post. It brings out a lot of what I’ve been noticing in the past few months, and I’m glad I took the time to read it. If you’re still looking for a distro, Slack 12.1 came out not long ago. We’d be happy to have you rejoin us.

  10. 10
    gus3No Gravatar Says:

    Patrick V. removed GNOME from Slackware for a combination of two reasons:

    1. Dropline and Freerock (now GSB) were already available.

    2. He prefers KDE; the only time he used GNOME was to test it before release.

    A nice side benefit was that it reduced the release versions’ CD set by 1 image, lowering bandwidth and manufacturing costs.

  11. 11
    MickNo Gravatar Says:

    Another vote for Arch, I think you’ll find it pretty close to what you’re looking for. Perhaps not absolutely ideal for mission critical systems, but I’ve not had any major problems on a number of systems, the community is fantastic and its simplicity makes day to day use easy and FUN.

  12. 12
    JurasikNo Gravatar Says:

    Please stop this cannibalism (Debian vs Slackware or the other way around). Focus on the enemy. Windows is in pretty bad shape now with its Vista fiasco. Just collaborate and put them out of their misery.

  13. 13
    machinerNo Gravatar Says:

    The article is the Troll, of course, and I’m feeding it.

    Nevertheless, a distribution is a focused set, or collection, of parts. Each of which needs to be “sized” to fit. People choose Debian because they want Debian. And it’s “sizings”.

    Nobody likes when a distro stumbles, OpenSSL, but aren’t we, the open source community, a little more level-headed than middle-America? Why are we shouting “Do it for the Children!” as they do?

    No – this whole argument is slapping that which we want the most. We gripe, but when it gets down to it – if we really cared, we’d take action instead of sitting at a keyboard bitching.

    As far as “operating systems” go, I’ll take the mods, tweaks, and whatever else my favorite distro does until it hurts me in some way. I am trusting their release because I cannot make it myself. I happily trust Debian, and Slackware, and Arch, and a number of other Linux distributions all day long.

    Go ahead, boys, tweak away. Do it for me because you know I appreciate it. Keep moving, adding, changing, breaking and repairing — and keep finding better ways to do it.

    Without Debian where would we be? Really.

  14. 14
    GuyNo Gravatar Says:

    Slackware may have one maintainer but it offers great freedom of choice as being highly customisable, as shown by the number of derivatives. I have done a Slackware install (with X) in as little as 600MB & built up a great system from there.

  15. 15
    MartinNo Gravatar Says:

    “Again, if you’re going to modify the code that heavily, fork it, don’t pretend like you’ve left the original code alone.”

    No you only fork a project when you want to create a new project which takes on primary development responsibilities. that’s why it’s a fork, you then have to cross pollinate to get fixes from the original project.

    What we’re taking about is distros creating a custom version of a package. These are called _versions_ and they show in the version info. For instance package foo on ubuntu would be foo-1.2.12-ubuntu3 because version 1.2.12 has been patched by ubuntu 3 times to fix problems. Likely that those patches got sent upstream and 1.2.13 will have them (in an ideal world anyway)

    I don’t think that distributions are fooling anyone, least of all their users. And I’d rather protect the freedom to modify without grief than the freedom to protect project purity in all distribution channels. That road gets you to the DMCA and it’s ilk.

  16. 16
    TaklaNo Gravatar Says:

    hmmm…an author who feels his opinion *needs* to be voiced, references to forcing himself towards the pure, misrepresentations (wilful?) of normal distro versioning of packages, offering incomplete and misleading summary re the openssl debacle, inflammatory language aimed at people who don’t subscribe to the author’s position (“proper place to dump all their dirty hacks and patches, and to completely spit at the hard work that upstream developers”), an assertion of exclusive faith “I truly believe that the Slackware way of distributing, is the right way”. This isn’t an essay on free software distribution, it’s an expression of religious intolerance/evangelism transcribed into a modern technical environment.

    I have nothing against Slackware, actually I admire it, imo it’s one of the few major GNU/Linux distributions that really matter, alongside Debian, Red Hat, Gentoo and perhaps Suse. By matter I mean having an individual philosphy or approach, respecting licenses (GPL in particular), develop their own tools, make major contributions to the benefit of the entire free software community, and their health and continued existence affects everyone in the community.

  17. 17
    mongoosecageNo Gravatar Says:

    Maybe he prefers Xfce. Because 1st Desktop Environment is Xfce second is KDE. To be honest I hate KDE. I use to like it back in 2001 when I was really young and knew nothing. But I started using Ubuntu gnome and prefered it over the KDE environment. Now I love Xfce too. I always found KDE very much windows like

  18. 18
    Pig_PenNo Gravatar Says:

    Slackware’s the best!

    you really hit the nail on the head! kudos!

  19. 19
    caeNo Gravatar Says:

    It’s this type of infighting to makes using other OS worthwhile :D

  20. 20
    Daeng BoNo Gravatar Says:

    Regarding making changes to packages:
    I haven’t done Linux from Scratch since about 2001, but even that minimal required several patches to get the system to compile. Lots of vanilla apps won’t compile with the set of libraries and compiler tools that Debian has by default on any particular release.

    Debian also tries to do its own security audits, which are pretty important if you’re using software that’s over twelve months old and the upstream developer has already moved on.

    I’ve been on Linux since 1997 and really like Slack, but I LOVE Debian. The Debian debacle was bad, but it mostly stung so much because that kind of thing rarely happens.

  21. 21
    McNo Gravatar Says:

    I have recently had a big beef with debian, due to thier messing with the code and lieing about it.

    They changed Firefox name to ice weasel, and said ” it was only a logo change because some graphics in firefox was not free”, they also blamed firefox for the need to change the name.

    Yet iceweasel will not work with some of the plugins from mozzillas website.

    Now I’m not a programer, but I believe if it was the same as firefox, then all the plugins would be the same, they should just work.

    Now don’t get me wrong, I’m not against debian changing iceweasel, and they did at least change the name. What my beef is thier lieing to the normal folks such as myself, telling us iceweasel is the same as firefox with just copyrighted logo changes.

  22. 22
    Jim HabeggerNo Gravatar Says:

    Even people with the best intentions will complain and find fault sometimes. In most cases it might be better to just ignore that part, and trust each other to try to do better.

    I found a lot of useful information and ideas here for my purposes. Thanks to everyone who contributed.

  23. 23
    Mackey J. McDonaldNo Gravatar Says:

    Such a usefule blog?COOL !!!!

Leave a Reply