Debian Weekly News - December 9th, 2003
Welcome to this year's 49th issue of DWN, the weekly newsletter for the Debian community. Not only Debian servers were the target of attackers but also one of Gentoo's servers as was the Free Software Foundation's Savannah system. Wired News explained some of the background and context of LinEx, the Spanish Debian variant.
HP to expand Debian Support. Hewlett-Packard is planning to expand support offerings to customers who run Debian GNU/Linux. According to HP Linux Chief Technology Officer and former Debian Project Leader, Bdale Garbee, "HP Services is working on some projects right now to increase the number and quality of the support offerings that they can provide to customers who want to run Debian." Until now HP's Debian support has only been limited services on request.
Draft Proposal for new Web Server Policy. Joey Hess prepared a draft proposal for a new web server policy. Joey identified various problems with current policy, many of which come down to a namespace problem. Debian uses the default top-level namespace of the web server for Debian-provided content, which doesn't give admins enough control. The nature of Joey's proposed policy means it could be adopted without requiring immediate changes to everything, but he is first seeking comments.
Recovery Status Update. James Troup sent in an update on the recovery of Debian hosts after the break-ins. Packages can be uploaded again into anonymous upload queues and a new key for automatic signing of Release has been created. Packages won't be compiled for other architectures since the build daemons need to be checked, updated, hardened and re-LDAPed.
Sarge Release Progress. Anthony Towns reported about progress made with the preparation of sarge, but the bug count has been rising fairly consistently. He admits that we're not in a position to offer a roadmap for the release and adds that having critical, grave or serious bugs open for an extended period is simply not acceptable. Implicitly he asks maintainer to look after their packages and fix the outstanding bugs so we get closer to releasing the system.
Anaconda based CD Images for Sarge. Ian Murdock reported that unofficial sarge-based iso images using the Anaconda installer are offered by Progeny. They included a tool called picax which builds Anaconda-based installation CDs from a Debian repository. However, there are features that are not yet working and it is not recommended for use in a production environment.
Debian Package Signatures. Goswin von Brederlow suggested using and distributing digital signatures along with the binary packages besides the current chain of signed Release file, referenced Packages file and binary packages. Suggestions include signing binary packages and distributing signatures separately. Joey Hess added that the canonical attack would be to re-insert a Debian package with a known security hole but a valid signature.
Debian Enterprise Sub-Project. Anders Salomon started plans to create a new sub-project within Debian. Long term goals include the possible creation of another branch, security updates on this branch, etc. Short term goals include an enterprise kernel, security work and an improved installer.
Debian UserLinux Roadmap. Bruce Perens announced the first pass of a UserLinux white paper. He proposed a non-profit entity in charge of the operating system with surrounding for-profit companies that are in the business of providing service and engineering for the UserLinux distribution. Theodore Ts'o added that it would be important to also support independent software vendors that produces proprietary solutions.
Rebuilding the Distribution. Steve Kemp has been experimenting with producing a hardened Debian derivative. This mostly means compiling things with a stackguard compiler, using format guard, and enforcing policies, etc. Instead of installing the hardened packages on top of Debian stable he would like to create a concurrent distribution and provide CD images as well.
Debian Network Installation. Tim Krieglstein reported
about his effort to install a cluster of machines with Debian using PXE, DHCP
and a set of hand-made scripts. The first stage boots, partitions the hard
debootstrap and installs grub. The second stage runs
after reboot and installs debconf and other packages.
Debian CDs for WSIS. Mako Hill reported that CDs will be handed out at the World Summit on the Information Society (WSIS). They are based on Morphix and contain GNOME, GNUCash, Gnumeric, OpenOffice.org, Mozilla, The GIMP, Evolution, XMMS, Bluefish and some other stuff.
Debian CD Images updated. Philip Hands announced new CD images that reflect the most recent update (3.0r2). Some packages had to be moved since the images ended up being larger than 650 MB initially. Steve Kemp produced the vast majority of the images.
Debian-Installer Roadmap. Joey Hess announced that the CVS repository on cvs.debian.org is back, but all pserver accounts have been disabled. Later Joey added a timeline in which no string changes should be made after December 21st. On December 28th the second beta test will start.
Security Updates. You know the drill. Please make sure that you update your systems if you have any of these packages installed.
- rsync -- Remote arbitrary code execution.
Want to continue reading DWN? Please help us create this newsletter. We still need more volunteer writers who watch the Debian community and report about what is going on. Please see the contributing page to find out how to help. We're looking forward to receiving your mail at firstname.lastname@example.org.
To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.
Back issues of this newsletter are available.
This issue of Debian Weekly News was edited by Matt Black and Martin 'Joey' Schulze.