Debian Weekly News - January 30th, 2001
Welcome to Debian Weekly News, a newsletter for the Debian community.
Nominations for Debian Project Leader elections began with Ben Collins nominating himself. Wichert Akkerman has indicated he will not seek a third term, so Ben is running unopposed for now. The nomination period should end around February 3rd, then candidates will have three weeks for campaigning and elections should begin on approximately February 24th.
It's a hard time to be a commercial Debian derivative. Corel is selling of their linux division, and Stormix has apparently filed for bankruptcy and shut down the popular ftp.ca.debian.org server due to bandwidth costs. We wish everyone at Storm the best of luck, and hope they manage to weather this problem. Meanwhile, Progeny seems to be doing well: their latest beta was just released, and they're raffling off a spiffy crusoe laptop at Linuxworld and donating the proceeds to Debian.
A new version of Debian policy is out. As always, the changes developers need to keep track of are summarized in the upgrade checklist. Debconf is now blessed by policy, although its use is not required. Also, init scripts should begin to break out configuration information to files in the /etc/default/ directory for easy editing.
Translating Debian is a massive effort, and now there's a website to help translators keep track of what has been done. There are some interesting overall stats there. 54 languages are supported by Debian, to one degree or another (85 thousand messages have been translated to German, but only 3 are translated into Arabic). You can drill down to detailed information about the translation status of your favorite language or package, and find something to work on -- and many people already have. There has recently been a marked increase in the number of translations, especially translations of debconf templates.
A torrent of security fixes have been released in the past two weeks:
- remotely exploitable buffer overflows in bind (a new upstream version was put in stable, which has caused some problems)
- more remotely exploitable buffer overflows in micq, mysql, and tinyproxy
- a remotely exploitable format string hole in wu-ftpd
- locally exploitable buffer overflows in splitvt and jazip
- a bug in the sash package that made /etc/shadow world-readable
- symlink attacks against squid, exmh, and inn2
- a "remote DOS and remote information leak" in php4
- a symlink attack and information leak in apache
- a hole in cron that allowed an attacker to read other people's crontab files
Putting all of Debian under central CVS revision control is the topic of this thread. Many people seem to have misunderstood the original post, which does not propose that all Debian developers be required to start committing changes to cvs rather than uploading packages. Instead, it just proposes that a cvs repository be set up to automatically track new versions of packages as they enter Debian in the traditional way (although much Debian development already takes place in scattered cvs repositories). There has also been concern about the disk space such a cvs repository would require. But if hardware can be found and someone takes the time to set it up, this could be a valuable resource for Debian.
To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.
Back issues of this newsletter are available.
This issue of Debian Weekly News was edited by Joey Hess.