Debian Weekly News - August 29th, 2000

Welcome to Debian Weekly News, a newsletter for the Debian community. This has been a relatively quiet week, with only 400 messages posted to debian-devel.

The "testing" distribution, as discussed last week, may not become a reality as soon as was hoped. The holdup is Debian's mirror network. Anthony Towns has found a problem that will make testing, as it is implemented now, consume about 50 MB of bandwidth a day on each Debian mirror. The long term solution to this type of problem is a package pool system. Of course, we've been talking about package pools for years now. To make testing happen soon, we need to come up with a good short-term solution, and so far, no one has done so.

The Debian bug tracking system's web site is partially down. All of the static pages on the site are out of date and are not being updated, due to some issues with the programs that update them. The plan is to convert the remaining static pages into dynamically generated pages. Toward that end, dynamically generated lists of bugs by package maintainer are already available. Dynamically generated pages, and the underlying email-based bug tracking system, continue to work fine -- in fact, the bug tracking system recorded bug #70000 this week.

This week's longest thread concerned the Helix Gnome Debian packages. While the original issue was quickly resolved, several other problems in Helix's packages were discussed, particularly version number issues. The Helix Gnome packages currently use "helix" in their debian revision number, which makes them always appear to be newer than updated packages from Debian itself. Thus, while apt makes it easy to install Helix Gnome, getting rid of it is somewhat harder. It's rumored that future enhancements to apt will solve the version number problem. But the underlying problem seems to be one of communication. Debian derivatives need to be careful to communicate with Debian, and do things the Debian way, to avoid having these kinds of problems blow up in their faces.

Security fixes this week include an updated version of netscape that fixes several security holes including the "Brown Orifice" hole, a fix for a remote root exploit in ntop, a fun URL vulnerability in xchat, and a remote file access problem in eruby.

Meanwhile, SecurityPortal posted an article that is quite critical of Debian's security. "The odd thing is that Debian seems to have gotten the niggly little details right, but there are major issues they haven't addressed." Valid points include the lack of signed .deb's, with a few more examples of how this is indeed a really bad thing, and the lack of a prompt for a lilo password. There are many criticisms in the article though, that are more dubious. They've already corrected their worst mistakes -- see the sidebar. Also, see the slashdot coverage which includes a response from developer Ben Collins.

Debian foils computer theft. Read all about it in this hilarious story in The Register.

Debian finally includes gopher, after all these years. Here are some of the new packages added to Debian this week:

To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.

Back issues of this newsletter are available.

This issue of Debian Weekly News was edited by Joey Hess.