Debian Project News - May 26th, 2008
Welcome to this year's 3rd issue of DPN, the newsletter for the Debian
community. Steve McIntyre sent a new
Bits from the DPL mail. A
serious issue in Debians OpenSSL package has been fixed recently. Debian
is discussing an archive structure for huge packages.
Bits from the Debian Project Leader
Steve McIntyre sent a new release of his several interviews he gave recently and continues by informing about personal changes in core teams. Jonathan McDowell has been added as keyring maintainer, and is already working together with James Troup on easier integration of keyring maintenance and our ldap system for better cooperation with the Debian System Administrators. He thanks Anthony Towns, who stepped down from most of the teams he was in.
Last but not least he talks about the upcoming Debian Conference in Mar del Plata, Argentina. The organizational efforts are going on pretty well, with announcements about papers, talk selection and travel sponsorship soon to be sent out. But as always, the organizers are also still looking for more companies and individuals to sponsor the conference—please contact email@example.com if you want to help.
OpenSSL weakness in Debian affecting many other packages
Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable. Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections. Keys generated with GnuPG or GNUTLS are not affected, though. However, other systems can be indirectly affected if weak keys are imported into them.
Shortly after Luciano's discovery fixed packages were created and—due to the seriousness of the problem—a new OpenSSH package, automatically regenerating possibly compromised keys and featuring a blacklist for possibly affected user keys was released. At the same time a detector software (GPG signature) has been written and constantly improved since then and detailed test and upgrade procedures for different software packages have been collected.
We are sorry for any inconvenience caused by that and would like to thank everyone who helped getting this issue solved so fast and without any major consequences.
Perl 5.10 Transition
Marc Brockschmidt announced the completion of the recently ongoing transition to Perl 5.10 as default version for the upcoming stable release.
He noted that for this transition over 400 packages got updated in testing, including updates for heimdal, clamav and sendmail/libmilter. The next scheduled, smaller updates are planed for xulrunner, ocaml, ffmpeg, poppler and nautilus.
During his triage of older bugs reported against OpenOffice.org, Lior Kaplan noticed, that many users are not aware of backports.org, an unofficial service providing updated packages for users of the stable version of Debian.
In the following discussion several proposals for better integration of that service into Debian were made. Gerfried Fuchs summarized the current state.
Huge Packages in Debian
Members of the Debian Games Team (and other maintainers of generic large data packages) wondered about size limitations of the Debian archive (and its infrastructure) regarding packages. Jörg Jaspert joined the discussion as ftp-master and summarized the possibilities to solve the issues. He's favouring to create a new archive for large packages (containing architecture independent data) and if possible a change of the Debian Policy allowing packages depending on such data only available in the new archive to stay in main.
State of SANE
Since SANE (scanner access now easy, a framework for accessing
scanners) is working on improving its interface, Julien Blache gave an
overview on his
plans for the SANE packages for the upcoming release,
will need to stay on the current interface, but Julien plans to backport
some important improvements from the development branch and asks for some
Hints for new Free Software Projects
Francois Marier gave hints on how to choose a license for free software projects. He concludes that using a license incompatible with mainstream licenses like the GNU General Public License is as bad as writing an own license.
Neil Williams added some more general hints.
Jörg Jaspert proposed to standardize headers added to e-mails by various tools used by Debian.
Enrico Zini gave
a small howto on
Conditional partitioning in debian installer for
unattended installations preserving some partitions. He already
small howto on creating bootable USB keys with simple-cdd.
Since the database used by packages.debian.org covers only supported and upcoming releases, Frank Lichtenheld created archive.debian.net which is capable of searching through archived releases, too. Sadly it has some caveats.
Want to continue reading DPN? Please help us create
this newsletter. We still need more volunteer writers who watch the
Debian community and report about what is going on. Please see our
contribute page to find out how to help. We're looking forward
to receiving your mail at
To receive this newsletter bi-weekly in your mailbox, subscribe to the debian-news mailing list.
Back issues of this newsletter are available.
This issue of Debian Project News was edited by Luca Bruno, Meike Reichle and Alexander Schmehl.