This is the rant I've been meaning to write for a while. What follows will be a lot of very angry random words chucked together. (Ok, so maybe not so random.) Now, don't get me wrong, I love Ubuntu. I have long since replaced Windows with it, and I was amazed at the time at how long it took me to switch to it from Windows XP totally. (3 hours, including install)

However, Ubuntu is not dreamy.

As part of my job (I work for Encryptec), we do a lot of server work, having to maintain our servers, as well as maintaining desktop machines. So, sometime last year, I created a pgp key, signed the Ubuntu code of conduct, and began basic triage work.

Some stats: I'm involved in  (commenting on, or triaging) 52 open (not invalid) bugs. Of those, I'm actively triaging 3, and I've got two reported bugs open.

Out of those 52, I have confirmed 16 (excluding closed ones.)

I stopped triaging bugs to the same extent I did about 5 months ago or so. Reason? I have 16 confirmed bugs that are just sitting there. I'm not in the QA-team (I never thought I'd triaged enough), and I am not a programmer to the extent that I could fix them. (If I went through the how-to's, and put my mind to it, I could fix some of the more basic bugs, as evidenced by my pushing a update to firehol through the SRU process. [For those of you who don't know what an SRU is, its a "Stable Release Upgrade", or basically a patch loaded into the -update repositories.)

Firehol

Lets take the firehol problem, bug #78017 in Launchpad. It took me starting a SRU process to get anyone to actually assign it a importance, with a bug that effectively turned firehol INTO A PIECE OF USELESS JUNK!

In case you don't know what firehol is, this is Ubuntu's package description about it:

An easy to use but powerful iptables stateful firewall
Generates generic firewalls with an extremely simple but powerful
configuration language, enabling you to design any kind of local
or routing stateful packet filtering firewall with ease.

#78017 basically locked down firehol, no traffic in, no traffic out. This bug made us loose ssh connection to remote servers & desktop computers we were upgrading. It was first reported January 4th, 2007. Confirmed by another reporter on the 5th. But no triager saw it, even though it was confirmed on the 5th. 'What about the maintainer of firehol' you say?

Trust me, its very scary to have a ssh session die on you in the middle of a dist-upgrade.

The closest thing to a maintainer of firehol would be me, after I added myself as a bug contact as part of the SRU process.

We were told that it had been fixed upstream on July 31st 2007. And, for the first time ever, we got a MOTU's attention, when someone put together a debdiff patch.

On 16th of October2007, I said that we needed to put firehol through SRU. But, I didn't know how. On the 9th of November 2007, I put together another debdiff, and started the SRU process. Mainly because Encryptec said I could do it on work time, whilst I had little else to do.

THE ONLY REASON FIREHOL IS FIXED IN FEISTY & EDGY IS BECAUSE IT WAS SPONSORED!

I wouldn't have had the time it took to go through the (at the time) confusing SRU process, not track down the one character fix, nor ask for all the help that I did on #ubuntu-bugsquad. I'm grateful to "pochu" to this day for the help he gave me.

I re-built the debdiff patches on the 16th of November, as requested by the motu-sru devs who looked at it. A few steps later, and the bug was fixed on the 27th of December 2007. Through paid work time.

Why did it take so long for a dev to look at, even though I'd posted on the bugsquad list asking for help?

Xen

We've recently moved all our servers to be Xen instances, running on top of the server hardware as virtual servers. It makes management easier. At least, it should, if Xen on Gutsy was stable. See all the tweaks we require to make Xen work. And then, you should also really re-compile your kernel, as the Ubuntu guys have applied the Xen patches to the latest kernel version. Xen is still on version 2.6.18, and their software is designed to WORK with that kernel!

Using a different kernel than the one the xen developers are using is a really, really dumb idea, because XEN IS KERNEL BASED! It is patched into the kernel, (hence needing a special kernel, if you're going to run Xen) which gives massive performance benefits over VMware, or other virtualisation software.

Whilst we're talking about Xen, take a look at bug #184412. Basically, Ubuntu is using the file image loader "file" instead of "tap:aio". Why is that a problem?

The Xen guys stopped working on "file" a long time ago. its quite old, and has performance, among other, issues. What does this result in? Kernel Ooops's. Fun Fun...

How to ignore a security bug

My boss found a security problem in the way Ubuntu used LTSP in Ubuntu. We've given this plenty of time to be fixed and SRU'ed, but since it has only been fixed in Gutsy, and not feisty or edgy, I'm going to say this in the open.

By default on Edgy & Feisty the ltspfs daemon is started with a "-a" , which turns off Magic Cookie authentication.

Why is that important?

In this mode, ltfsp works fine: you can see and mount USB and CDROM's on the thin client without any problem.
Trouble is, so can anyone else on the server.

What does that mean?
Put in a USB key, and wave goodbye to your files once somebody clever knows about this bug.

Now, I can understand that this is probably going to be a pain in the neck to fix, but that does not excuse the fact that it has not been, for 5 months. (This bug is listed as a security bug, under LTSP. Its publicly viewable. Anyone with a little bit of brains, wanting to find a vulnerability could just go look in Launchpad.)

Conclusion - So what IS wrong in Ubuntu?

Bug triage. Ubuntu needs more triagers, with access to change the priority of bugs. Possibly even a couple of guys just to run around checking the work of people who are just starting to triage, without that access, applying priorities as needed, and keeping an eye on those who might not be doing a good job. (I certainly know that a couple of the bugs I worked on were useless.)

Ubuntu needs more developers, who take an active interest in looking after server problems, as well as the more visible desktop problems. Firehol, Xen, and LTSP are all CLI-based applications, running on Ubuntu Server. They also need developers who look at bugs, all day long, and FIX THEM. Its all well and good the bug being triaged, but it also needs fixing.

Why don't I try to become an MOTU/QA triager? Because currently, I don't have the free time. I would if I did, but other things eat my time. Like, car trouble. And RPGs that I help run for fun. The fact I'm just a basic trainee Web-Deb programmer comes into it as well. (I know HTML, CSS basic Python [mainly the plone implementation], a little bit of PHP and MySQL. I'm *sure* that knowledge can be used to fix bugs...)

Now, this rant does not mean I don't like what Ubuntu is doing with the devs that they do have. But, guys, please can you just stop adding more features, and start FIXING BUGS for just one release period. Please! Pretty Please with Pink Sugar Icing and a Pink Feather on top!

Edits:
21/01/08, 1419: Fixed typos x2