Debian Weekly News - February 13th, 2001

Welcome to Debian Weekly News, a newsletter for the Debian community.

The DPL campaign is heating up. Anand Kumria, Bdale Garbee, and Branden Robinson each joined Ben Collins in announcing that they will run for DPL. The timeline for the elections was pushed back since things got off to a late start. The nomination period ends today, and then campaigning will begin in earnest.

A major change has been made to the new maintainer process. Prospective developers must now get a recommendation from a current Debian developer before they can go through the new maintainer process. It is hoped that this will cut down on the number of applicants who are not serious about becoming developers, and speed up the process for everyone else. In a mail explaining the new requirement, Martin Michlmayr predicts that "for anyone seriously interested in Debian, getting recommended won't be a problem at all -- if he has a package in Debian already, his sponsor can recommend him; if he has done work on a Debian port, the web pages or boot-floppies then he will know Debian developers to recommend him."

Some problems with testing have come to light over the past couple of weeks. A broken version of lilo slipped into testing by accident, and we had another round of the same lilo problems unstable users have endured. Then a new version of console-tools entered testing, but it turned out it had an undeclared dependency on unstable's version of debconf. Many other packages that are broken for one reason or another have been removed from testing until they are fixed. These problems just show that maintenance of testing cannot be entirely automated; it needs some manual attention just like other branches of Debian. Testing is meant to be somewhere in between stable and unstable in up-to-dateness and usability, and it is meeting that goal, though it has required a bit more maintenance effort than we might have expected. But a more worrying problem with testing has also emerged.

Security fixes trickle into testing just as slowly as do any other updated packages from unstable. While stable has security.debian.org to provide timely security fixes, and unstable gets most fixes immediately, security fixes will not enter testing until they have been built on all architectures, and until all their dependencies have also entered testing. Unrelated release critical bugs can keep security fixes out of testing too. So while testing is reasonably current, and not too prone to breakage, security fixes can be delayed for an uncomfortably long time. One fix for this problem would be to add a testing section to security.debian.org, but there has not been any enthusiasm voiced in the thread so far about this option, probably because it would involve a lot more work.

Unstable news. ifconfig was broken yesterday, to the point where machines were unable to get up on the net. A fix will probably be in the archive by the time you read this, and in the meanwhile there is a workaround. A regex memory leak in libc was accidentally introduced yesterday; symptoms include apt eating up all memory. And a large perl reorganization is in the works: new perl packages in Incoming incorporate many package name changes and other changes that will require a recompile of all perl module packages.

Four security updates have came out recently. Openssh has a remote buffer overflow bug which can lead to remote root access. The non-free ssh is also vulnerable to the ssh holes, and as a fixed package is not available, upgrading to openssh is recommended. An omnibus security update for the version of xfree86 in stable was released. It corrects denial of service attacks, numerous buffer overflows, and numerous temporary files problems. man-db has a format string bug that allows local attackers to run code as user 'man'. Several denial of service attacks against proftpd were also fixed.

Experimental and proposed-updates, long two warts on the side of the Debian archive, have moved into the package pool. The new setup should be much cleaner. James Troup explained the details.


To receive this newsletter weekly in your mailbox, subscribe to the debian-news mailing list.

Back issues of this newsletter are available.

This issue of Debian Weekly News was edited by Joey Hess.