Debian Weekly News - August 29th, 1999

Welcome to the 33rd issue of Debian Weekly News, a newsletter for the Debian developer community.

Raphaƫl Hertzog wrote that "the sponsor idea has some success so I wrote a CGI script to keep track of people looking for sponsors". Several people chimed in with reports of the success of the sponsor program.

Dale Scheetz posted about the trouble he's having. To build libc, he needs to first build packages ranging from X to perl. This is a good example of how tightly intertwined our source dependencies are, and of how hard it can be to bootstrap a new port. It's unclear how or if these problems will be solved, though having source dependencies available for analysis might help. And it looks like source dependencies are going into policy; there is a consensus on the policy list about how to do it.

Anyone who bought the first printing of "Debian GNU/Linux: Guide to Installation and Usage" got a book with binary CD #2 in the back, instead of CD #1 which is required to install Debian. The publisher is aware of the mistake and is offering free replacement CDs.

CPU Review reviewed Debian, with mixed results: "Debian 2.1r2 appears to be a technically very solid distribution" but "The installation procedure MUST be simplified if the Debian project wants to attract large numbers of new users".

In security news, a new version of epic4 was released, to fix a denial of service vulnerability. Debian's cron package is not vulnerable to the buffer overflow found in Red Hat packages. It is vulnerable, however, to an associated problem, and a fix has been uploaded. Holes have also been discovered in X, proftpd, and other ftp servers this week, and the maintainers are working on the problem, though fixes have not yet been uploaded. Also, Martin Schulze posted a draft Debian Security Policy, which outlines the tasks of the security team and what they can do to quickly get security problems fixed.

Anyone reading debian-devel lately has noticed many Intent To Package announcements from members of the Debian JP project. Among these, there has been a disturbing trend of "-ja" packages being made that are existing packages (like mutt, jed, and slrn), with just a Japanese internationalization patch applied. This trend culminated this week in the ITP of grep-ja, and Wichert Akkerman spoke up against the whole practice. "What I was hoping to see with the integration of Debian-JP is that all the multibyte patches would be *integrated* with Debian, not a senseless forking of lots of packages." And with replies such as this one from Taketoshi Sano, it seems that Debian-JP has gotten the message.

Adam Di Carlo pointed out that this problem with Debian JP packages is just another sort of fork -- and Debian has been accused before by "some rather prominent people in the free software world of having hidden forks in our packages" -- most recently when it turned out we had long ago fixed the cron security hole mentioned above, and the fix had not reached all other distributions (note that cron is not maintained upstream, so it couldn't be simply sent to the author).

And speaking of Debian-JP, as usual a news summary of what's been going on in that project is available, from a web site this time.

7 New packages were added to Debian this week:

We'll close this week with something to think long and hard on. John Goerzen posted a very sobering message: "We have some serious problems. These are critical ones. It seems to me that our organization is breaking down." He went on to list a variety of problems, including release frequency, bugs that aren't being worked on, the inconclusive debates about /usr/share/doc/, etc, and concluded, "Where is all our effort going? Flamewars and power struggles." John's message is very much worth reading and thinking over; although people can refute specific points he made, the tone of his message and his conclusions match what people are feeling right now.

Thanks to Simon Holgate, Randolph Chung, and Katsura S. Yoshio for contributing.

To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.

Back issues of this newsletter are available.

This issue of Debian Weekly News was edited by Joey Hess.