April 26, 2005

Review: Libranet 3.0

Author: Bruce Byfield

The release of Libranet 3.0 continues a tradition that dates back to 1999. Like previous versions, Libranet 3.0 offers one of the easiest approaches to Debian available, providing an easy installation and a wide array of current software. Setup support is available from a small but obliging team, with more general help available from an active discussion forum or an
on-line manual written by volunteers. Currently available as a download for $90 for new users and $65 for
existing users (with CDs available at the end of May), version 3.0 continues the Libranet tradition of correcting the perceived weaknesses of Debian and making Debian accessible -- but it is not without some flaws.

Advanced users may find this distribution somewhat lax in security. If they are free software supporters, they may also object to the non-free software it includes. Moreover, considering the changes due with the introduction of the new Debian installer in the upcoming Sarge release, they may also wonder how long Libranet's advantages over Debian will exist.

A new installer

Version 3.0 does not depend on earlier releases' highly serviceable text-based installer. Instead, it uses what appears to be a Libranet-branded version of Red Hat's Anaconda. My first thought was that the installer was based on Progeny's Anaconda port, but, according to Libranet, the port was done in-house.

Aside from the small Libranet core, the new installer differs little from most versions of Anaconda, except in the use of the apt-get command to install packages from the CDs. That is to say, the Libranet installer offers a graphical install with a clear set of instructions and accurate hardware detection. In fact, on a laptop install, the Libranet installer correctly detected a PCMCIA Ethernet adapter that most commercial distributions failed to detect. The new installer's main purpose seems to be to make inexperienced users more comfortable.

The automatic installation option creates a swap partition and a root partition with a Reiser filesystem. It also installs just under 2.5GB of programs. For the base system and the Libranet core files, it uses about 2.9GB.

In a custom installation, packages may appear in two categories: a broad general one, such as KDE, and a more specific one that refers either to a single package or to a group of related ones, such as Abiword and its plug-ins. Choosing items in the general categories may install packages you have no use for. The Laptop category, for example, includes utilities intended for half a dozen different manufacturers or models.

In addition, the general categories overlap. Epiphany, for example, is included in both the GNOME and Web Browser categories. As a result, it can be de-selected in one, yet still installed on the system. These double listings exist largely because of the KDE and GNOME general categories, which include not just the cores of each desktop, but many, if not all of, the utilities and programs associated with each.

Functionally, the new installer offers no advantages over Libranet's earlier one, yet neither is it any worse. If the new installer staggers, as it did when attempting to detect a laptop screen, the old one temporarily replaces it until the problem is resolved.

Current software, both free and non-free

A default installation of Libranet includes KDE 3.3 and GNOME 2.8.3. In addition, Libranet installs over half a dozen standalone windows managers, such as IceWM, Afterstep, and Blackbox. The developers have done little to differentiate these GUIs cosmetically from their Debian equivalents. The only differences seem to be that KDE, GNOME, and IceWM are branded with Libranet wallpaper, and that the default icons are altered. The icons include launchers for LibranetPPP, both the root and user versions of Libranet's Adminmenu, and a link to the Libranet forum.

Building on a 2.6.11 kernel, Libranet offers an overwhelming array of packages. An automatic
installation includes more than a dozen editors. Most, like gedit and Kate, are graphical, as you might expect in a desktop distribution, although Vim and nano are also included. Similarly, a half-dozen Web browsers are installed, including current versions of Mozilla, Epiphany, Firefox, and Opera. Games are even more exhaustively represented, with more than 60 in the default installation and two to three times that number installed if you select the Game package category. All software versions are those currently in Debian testing, which makes them relatively current, if not always cutting-edge.

One of the few unique applications is Adminmenu. Adminmenu, whose
license, Libranet tells me, is still undetermined, is Libranet's
configuration center. However, in version 3.0, the usefulness of
Adminmenu has been pared down considerably because many of its functions
are available in the KDE Control Center. In version 3.0, the root user's Adminmenu is useful mainly for package maintenance, setting maintenance scripts in cron, and configuring services. User Adminmenu is even more limited, with tools for modifying details of the user account, monitoring print jobs,
and selecting the window manager for what is termed a Libranet session in gdm -- that is, for a login with a pre-selected window manager such as Enlightenment.

Also available is a selection of recent versions of what Debian repositories define as non-free software -- in other words, proprietary applications that can be freely distributed. They include Sun Java, Opera, and Adobe Reader. Many of these non-free applications are installed in the automatic installation. General users may welcome them, but believers in free software would undoubtedly prefer to have them installed only by choice, as some of them were in earlier releases. Some free alternatives are available, such as GNOME Ghostview for Adobe Reader, but the politically minded will have to spend some time mulling over the results of an apt-cache search to have a free system.

Improvements in package installation

Although Libranet supports apt-get from the command line, the root user's version of Adminmenu divides basic functions and repositories into a series of icons: Update Adminmenu, Update Libranet (the equivalent of using the dist-upgrade option with the apt-get command), Libranet security update, and Install from Libranet CDs (the equivalent of the apt-cdrom command). These icons are ideal for those who are interested in keeping their systems up-to-date but who have no interest in understanding the process. Synaptic, a graphical front-end for apt-get, is also available, although marked as "recommended for advanced users only."

Opening /etc/apt/source.list, the configuration file that defines apt-get repositories, shows that Libranet relies on the Debian testing and security repositories and Libranet's own archives. The reliance on testing is new with this release; earlier Libranet versions depended on Debian stable.

In earlier versions, Libranet compatibility with Debian archives was sometimes problematic.
Several versions ago, installing or upgrading either KDE or GNOME from testing resulted in the other one being removed. In the previous version, several people reported that installing GNOME from the Debian archives to Libranet produced irresolvable broken dependencies that made the package system unusable. Perhaps as a result, early in 2004 Libranet announced its update-safe archive, and recommended using it as the main repository for upgrades. Libranet was already maintaining its own archives, but this change alienated several users. Since they basically viewed Libranet as an easy entrance to Debian, to them this limitation --whatever the legitimacy of its reasons -- felt like an attempt at vendor lock-in.

In version 3.0, Libranet advises equal caution. At the top, the sources.list warns -- somewhat
inaccurately -- that "Removing, changing, or re-ordering entries in this file will prevent use of the Libranet archive." Further down, a comment warns that Libranet sources should come first, so
that they will be used in preference to other ones.

Happily, the precautions seem unnecessary in version 3.0. Part of the reason may be that version 3.0 relies on Debian testing. Since Debian testing, a.k.a. Sarge, is currently being prepped to become the next version of stable, it contains relatively recent packages. As a result, the gap between Libranet and the latest Debian packages is much narrower than in the past, so the chances for broken dependencies are slimmer. Yet, whatever the case, the problems of earlier versions did not arise for us in testing version 3.0. The cautious may want to remember Libranet's warnings for the future, but, for now, the warnings seem needlessly alarmist. Their main result may be to scare users off from learning more about their systems.

Security pros and cons

Libranet 3.0 has a mixed security record. On one hand, compared to systems installed with the new Debian installer, Libranet is lax about security. The sheer number of packages installed by default in Libranet, let alone by a complete install, ignores a basic principle of security architecture by making it difficult to monitor what is installed or -- more to the point -- how it is installed. The security-conscious might also quibble about the fact that a GUI login for root is enabled by default, and a Libranet system can be shut down by ordinary users, although these points matter less in workstations than in servers.

More importantly, daemons seem to be installed automatically, rather than according to the results of hardware detection. For example, a laptop installation without a wireless card or any selection of wireless software includes waproamd, a daemon useful only for wireless. Similarly, a default desktop installation enabled ppp and pppstats even though no dialup modem was present, as well as rsync, a daemon useful only for a server machine, and a well-known security risk on a home workstation.

On the other hand, in some ways Libranet is more secure by default than many distributions today. It enables a basic firewall by default, and allows only the root user to mount removable drives. Given that Libranet is mainly a desktop distribution, its default configuration can be seen as an effort to balance security and convenience. This balance is hard to achieve, and unlikely to please everyone. Still, often, Libranet's choices lessen security while taking up hard drive space with unwanted or ignored programs. Those who want tighter security will need to spend some time hardening their Libranet systems after installation.

The outlook for the future

Libranet 3.0 is a thoroughly up-to-date distribution, with an extensive list of packages, all configured for ease of use. However, as with any Debian-based distribution, in the end, the question must be: What advantages does it offer over basic Debian?

The answer needs to be heavily qualified. Libranet's new installer is easier to use than the one in Debian stable. Yet at best it is a slight improvement on the new Debian installer, which is readily available for use although not officially released. Similarly, while Libranet's Adminmenu is handy for package administrations, it offers only minor advantages over any other GUI for apt-get, or, for that matter, over apt-get from the command line.

Whether other features are advantages depends on your perspective. Libranet's ease of use makes it less secure by default than the forthcoming version of Debian, if less vulnerable than some modern distributions. In the same way, the option to install non-free programs like Sun Java is convenient, but free software supporters may prefer the new Debian installer, which by default omits the control and non-free repositories from apt-get's list of sources.

The new release is being welcomed enthusiastically by existing Libranet users on the distribution's forum. For new users, its main attraction is that it is an introduction to Debian with a mid-range price. Yet, given the coming changes to Debian (to say nothing of the appearance over the last few years of other easy to use Debian-derivatives such as MEPIS), Libranet's niche in the GNU/Linux ecology no longer seems secure. Despite the distribution's present virtues, unless the next version can offer new advantages, Libranet seems likely to be overtaken by Debian the moment that Sarge is officially released.

Bruce Byfield is a freelance course designer and instructor and a technical journalist, and a regular contributor to NewsForge.com and ITManagersJournal.com.


  • Linux
Click Here!