Debian released without security update feature

A configuration mistake in the new Debian Linux distribution has forced a fix less than 24 hours after the software was released.

"New installations [of Debian 3.1 from CD and DVD] will not get security updates by default," said Debian developer Colin Watson in an e-mail warning. Installations from floppy disks or network servers were not affected.

Watson apologised and asked vendors to delay burning CDs or DVDs of Debian 3.1, adding an update would be available shortly. However, Steve Langasek -- another member of the release team -- said on his blog it would probably be a day or two before the updated CD and DVD images were available everywhere.

"Whoops," said Langasek. "Don't go pressing those 10,000 copies of [3.1] just yet."

The good news for those who have already installed the operating system is that fixing the problem is a simple matter of replacing an entry in a configuration file.

Version 3.1 has been long anticipated by the Debian community, as it has been three years since the last major release of the software. This cycle is significantly slower than that followed by competing Linux vendors like Red Hat.

Debian is not the only high-profile software project to be forced to fix a dangerous security flaw shortly after the time of release.

Netscape fixed two critical flaws in the new version of its browser in a similarly short time frame after it was released late last month. Ironically, Netscape marketed the release as being able to provide users with additional security features not found elsewhere.