Debian Weekly News - August 17th, 2004

Welcome to this year's 32nd issue of DWN, the weekly newsletter for the Debian community. Of interest to large-scale installations: Hewlett-Packard finally offers 24x7 support for Debian GNU/Linux with HP Extensions. In an article Chris DiBona highlighted the services offered by GNU/Linux vendors and pointed out that their repositories are miles ahead of competing proprietary commercial offerings.

Investigating Sarge Security. Joey Hess looked through every security advisory issued in 2004 and checked to see if the security hole was fixed in sarge as well. Security holes not fixed yet in sarge include those in libpng, libpng3, php4, netkit-telnet-ssl, pavuk, www-sql, lha, log2mail, hsftp, trr19, and slocate. The other 1.5 years worth of security advisories back to the release of woody would probably take several more days to check. Investigation of security advisories from 2003 revealed that security updates for tomcat4 and gtksee are missing in sarge.

Debian-Installer Review. Bruce Byfield reviewed the new debian-installer (d-i). He says "It introduces Debian's strengths right at the start, and it goes a long way toward burying Debian's reputation for being difficult to install." He added, that, by installing only a minimal number of packages, d-i defaults to a noticeably more secure system compared to most commercial distributions. Byfield suggests the new installer ease of use will bring many new users to Debian.

What comes after Sarge? Osamu Aoki wanted to release a new debian-reference package that explains the latest release names. Naturally he was wondering which name testing will become once sarge is released as Debian 3.1. Colin Watson opened the curtain and revealed that the release after sarge will be called etch. Quickly, a discussion arose about using a different name and voting upon the name.

Zero-Day Non-maintainer Uploads. Steve Langasek said that this close to the release of sarge, 3 days can definitely make the difference between a package being ready in time for sarge, and not being ready in time. Moreover, history shows us that 0-day non-maintainer uploads (NMUs) have been very effective at bringing the release-critical (RC) bug count down rapidly. He would therefore like to declare open-season on RC bugs, including 0-day NMUs if appropriate until the release of sarge.

Online Changelog Files. Andrew Pollock was missing a possibility to reach changelog files without actually installing the corresponding packages. Therefore he has created which contained those files. Martin Michlmayr revealed that changelog files already exist on Hence, the new site finally redirects HTTP requests to the files on

Best Practice QA Uploads. Matthew Palmer started to write a QA upload best practices document after working through quality assurance (QA) procedures with one of his new-maintainer applicants. The second version caused some disagreement on the scope of a QA upload, though.

Synchronising Skolelinux with Sarge. Petter Reinholdtsen posted a list of packages that the Skolelinux people should push into Debian in order to get Debian synchronised with Skolelinux. He and Joey Hess are worried that it may already be too late to get new packages into Debian in time for the release of sarge.

Which KDE Version in Sarge? Co-release-manager Steve Langasek complained about a last minute upload of a number of packages from KDE 3.3 to unstable. Since he considers it undesirable to have a mix of different versions and impossible to get all of KDE 3.3 into sarge on schedule for the release, he concluded that KDE in sarge will not be updated from unstable and fixes to KDE related packages should be submitted to testing-proposed-updates. Chris Cheney objected to Steve's assessment, while Ben Burton and René Engelhard concurred. René also noticed that kdelibs-data again caused file conflicts with

Cdrecord on the Way to non-free. Jose Carlos Garcia Sogo noticed that Jörg Schilling has added a non-modification clause to a file within the cdrecord distribution which renders the package non-free since this is in direct conflict with the GNU General Public License.

New LaTeX Project Public License, Version 1.3. Branden Robinson reported that a new version of the LaTeX Project Public License (LPPL) has been published, taking most of debian-legal contributor's comments into account, and the LaTeX project also intends to see OSI Certification. It seems to be compliant with the Debian Free Software Guidelines. Hilmar Preusse added that the teTeX packages in Debian are released under LPPL 1.2.

Freeness of the Qt Public License. Martin Krafft wondered if the new Qt Public License (QPL) is considered DFSG-free, since it is OSI approved and because it was requested to remove libcwd from main. Andrew Suffield asserted that choice-of-venue clauses are decidedly non-free.

Bug Squashing Week. Frank Lichtenheld announced that this entire week has been declared the bug squashing week. He will be around in #debian-bugs on both and over the whole period of time (except for system recreation intervals) trying to keep the party going and appeal to all people to participate on it. He will be also joining the real life bug squashing party at the TU Darmstadt, Germany.

New SPI Officers. John Goerzen announced that Software in the Public Interest, Inc. (SPI) has selected the officers during its annual meeting. They are: President: John Goerzen, Vice President: Benjamin Mako Hill, Treasurer: Jimmy Kaplowitz, and Secretary: David Graham. He also announced the annual report for SPI and encouraged Debian developers to get involved with this organisation.

Security Updates. You know the drill. Please make sure that you update your systems if you have any of these packages installed.

New or Noteworthy Packages. The following packages were added to the unstable Debian archive recently or contain important updates.

Debian Packages introduced last Week. Every day, a different Debian package is featured from the testing distribution. If you know about an obscure package you think others should also know about, send it to Andrew Sweger. Debian package a day introduced the following packages last week.

Orphaned Packages. 5 packages were orphaned this week and require a new maintainer. This makes a total of 168 orphaned packages. Many thanks to the previous maintainers who contributed to the Free Software community. Please see the WNPP pages for the full list, and please add a note to the bug report and retitle it to ITA: if you plan to take over a package.

Want to continue reading DWN? Please help us create this newsletter. We still need more volunteer writers who watch the Debian community and report about what is going on. Please see the contributing page to find out how to help. We're looking forward to receiving your mail at

To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.

Back issues of this newsletter are available.

This issue of Debian Weekly News was edited by Andre Lehovich, Thomas Viehmann and Martin 'Joey' Schulze.